Skip to content
Reverse Engineering
Living off the Landadvanced

CMSTP Proxy Execution

Attackers abuse the signed cmstp.exe and a crafted INF to proxy code execution and bypass UAC under a trusted Windows binary.

cmstp.exe (Microsoft Connection Manager Profile Installer) is a signed Windows binary whose legitimate job is to install Connection Manager service profiles from an .inf configuration file. Those INF files can reference command sections that run during installation — and cmstp will happily execute them, which is exactly what attackers exploit. Because the binary is Microsoft-signed and present on every Windows host, it is an attractive Living-off-the-Land binary (LOLBin) for proxy execution.

What makes cmstp particularly prized is that it can run its INF-defined commands through an auto-elevated COM interface, allowing a crafted profile to launch a payload at high integrity without the usual consent prompt — a UAC bypass. An analyst will typically see the signed cmstp.exe as the visible actor, with the real intent hidden inside an INF dropped to a user-writable directory.

How it works

The attacker writes a malicious .inf that abuses the RunPreSetupCommandsSection (or DefaultInstall/UnRegisterOCXSection) directive to point at an arbitrary command or scriptlet, then invokes the installer silently:

text
cmstp.exe /au /s C:\Users\Public\profile.inf

The /s (silent) and /au (all-users / auto-install) flags suppress UI and drive the install non-interactively. Inside the INF, a section such as [RunPreSetupCommandsSection] lists the launcher command line — frequently a regsvr32 scriptlet fetch or a powershell one-liner — which cmstp executes as it processes the profile. Analysts should treat any cmstp.exe referencing an INF outside %ProgramFiles%/%SystemRoot%, or carrying /s, /ni, or /au against a user-path INF, as anomalous: legitimate profile installs are driven by Connection Manager packaging, not by ad-hoc INFs in \Public\ or %TEMP%.

Detection & analysis

Static analysis:

  • Treat the referenced .inf as the real sample — it is plain text. Read the [RunPreSetupCommandsSection], [DefaultInstall], [UnRegisterOCXSection], and RunPreSetupCommands/AllUSer_LDIDSection entries for embedded command lines, scriptlet .sct/.dll references, or regsvr32/powershell/rundll32 invocations.
  • Triage the command line and INF with YARA/regex: an INF path under %TEMP%, %APPDATA%, or \Public\, plus the flag combination /s with /au or /ni, is a strong abuse indicator. Hunt the INF body for scrobj.dll, http/https, and taskkill (used to dismiss the marshaling dialog).

Dynamic analysis:

  • In a sandbox, observe what cmstp.exe spawns and whether it elevates. A benign install does not launch powershell.exe, cmd.exe, or regsvr32.exe; a child process at a higher integrity level than the parent is the UAC-bypass tell.
  • Watch for outbound network connections from the cmstp.exe PID or its children (remote scriptlet/stage retrieval), and for the auto-elevated COM marshaling behaviour that the bypass relies on.

Detection rule hint:

Alert on Sysmon Event ID 1 where Image ends with \cmstp.exe AND (the command line contains /s, /ni, or /au referencing an INF in a user-writable path, OR the parent process is an Office application or script host). Pair this with a child-process rule: cmstp.exe spawning powershell.exe, cmd.exe, regsvr32.exe, or rundll32.exe is high-confidence. Correlate with Event ID 3 (network) and any integrity-level escalation between parent and child to catch the UAC bypass.

Votes

Comments(0)