CMSTP.exe is the Microsoft Connection Manager Profile Installer, which can be leveraged to setup listeners that will receive and install malware from remote sources in trusted fashion. When CMSTP.exe is seen in combination with an external connection, it is a good indication of this TTP.
|Technique||Subtechnique(s)||Tactic(s)||Level of Coverage|
|Signed Binary Proxy Execution||CMSTP||Defense Evasion||High|
Data Model References
Pseudocode - CMSTP (Pseudocode, CAR native)
This is a pseudocode representation of the below splunk search.
processes = search Process:Create target_processes = filter processes where ( exe="C:\Windows\System32\CMSTP.exe" AND src_ip NOT IN [10.0.0.0/8,192.168.0.0/16, 172.16.0.0/12] ) output target_processes
Splunk Search - CMSTP (Splunk, Sysmon native)
looks for instances of CMSTP.exe that are combined with external communication
(index=__your_sysmon_index__ EventCode=3) Image="C:\\Windows\\System32\\CMSTP.exe" | where ((!cidrmatch("10.0.0.0/8", SourceIp) AND !cidrmatch("192.168.0.0/16", SourceIp) AND !cidrmatch("172.16.0.0/12", SourceIp))