CMSTP.exe is the Microsoft Connection Manager Profile Installer, which can be leveraged to setup listeners that will receive and install malware from remote sources in trusted fashion. When CMSTP.exe is seen in combination with an external connection, it is a good indication of this TTP.

ATT&CK Detection

Technique Subtechnique(s) Tactic(s) Level of Coverage
Signed Binary Proxy Execution CMSTP Defense Evasion High

Data Model References

Object Action Field
process create exe
process create src_ip

Implementations

Pseudocode - CMSTP (Pseudocode, CAR native)

This is a pseudocode representation of the below splunk search.

processes = search Process:Create
target_processes = filter processes where (
  exe="C:\Windows\System32\CMSTP.exe" AND
  src_ip NOT IN [10.0.0.0/8,192.168.0.0/16, 172.16.0.0/12] )
output target_processes

Splunk Search - CMSTP (Splunk, Sysmon native)

looks for instances of CMSTP.exe that are combined with external communication

(index=__your_sysmon_index__ EventCode=3) Image="C:\\Windows\\System32\\CMSTP.exe" | where ((!cidrmatch("10.0.0.0/8", SourceIp) AND !cidrmatch("192.168.0.0/16", SourceIp) AND !cidrmatch("172.16.0.0/12", SourceIp))

LogPoint Search - CMSTP (Logpoint, LogPoint native)

looks for instances of CMSTP.exe that are combined with external communication

norm_id=WindowsSysmon event_id=3 image="C:\Windows\System32\CMSTP.exe" -source_address IN HOMENET