CMSTP Execution Process Creation

About the rule

Rule Type

Standard

Rule Description

This rule detects the execution of cmstp.exe, a legitimate Windows utility used to install Connection Manager service profiles. While cmstp.exe serves valid administrative purposes, it has been abused by attackers to execute malicious scripts and payloads by leveraging its ability to run embedded INF files with elevated privileges. Detection of this process—especially with suspicious parameters or in uncommon contexts—may indicate an attempt to bypass application control mechanisms or escalate privileges.

Severity

Trouble

Rule journey

Attack chain scenario

Initial Access → Execution → Native Windows Utility Abuse → cmstp.exe invoked with malicious INF file → Code Execution with Elevated Privileges → Lateral Movement

Impact

• Privilege escalation
• Persistence
• Malware deployment
• Defense evasion

Rule Requirement

Prerequisites

Using Windows event viewer:
To enable detailed process tracking in a domain environment, log in to a domain controller using domain admin credentials and open the Group Policy Management Console (GPMC). Create or edit a GPO linked to the target OU and navigate to the Advanced Audit Policy Configuration section to enable success auditing for both process creation and termination. To capture command-line details, enable the Include command line in process creation events setting under Audit Process Creation. Additionally, create the Microsoft-Windows-Security-Auditing/Operational registry key in the specified EventLog path to support enhanced auditing.

Using Sysmon:
To enable detailed process monitoring using Sysmon, first download and install it from Microsoft Sysinternals. Run Command Prompt as an administrator and install Sysmon with a configuration file that includes process creation tracking using sysmon.exe -i [configfile.xml]. Ensure your configuration includes a <ProcessCreate> filter to capture all process creation events. Additionally, create the Microsoft-Windows-Sysmon/Operational registry key under the EventLog path if it doesn’t already exist.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Defense Evasion: System Binary Proxy Execution - CMSTP (T1218.003)

Security Standards

Enabling this rule will help you meet the security standard's requirement listed below:

PR.AC-01: Identities and credentials are managed for authorized devices and users.
DE.CM-07: Monitoring is performed to detect unauthorized personnel, connections, devices, and software.

By alerting on the execution of cmstp.exe, a legitimate Windows binary often abused for bypassing security controls, this rule helps detect potential privilege escalation or defense evasion attempts through living-off-the-land techniques.

Author

Nik Seetharaman

Future actions

Known False Positives

This rule may be triggered by legitimate administrative tasks that use cmstp.exe for configuring network connections via custom INF files, such as VPN or dial-up setups.

Next Steps

When this rule is triggered, the following measures can be implemented:

• Identification:Determine whether the use of cmstp.exe is associated with a known administrative action or is part of a suspicious process chain
• Analysis: Inspect the INF file passed to cmstp.exe. Malicious variants often contain embedded scriptlets or commands that result in payload execution.
• Response: Isolate the host, terminate related processes, and delete any associated malicious INF files.
• Restrict cmstp.exe: Restrict execution of cmstp.exe through application control policies if not used operationally.

Mitigation