MITRE ATT&CK Technique
Description
The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections. Adversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to [Regsvr32](https://attack.mitre.org/techniques/T1117) / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017) and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other whitelisting defenses since CMSTP.exe is a legitimate, signed Microsoft application. CMSTP.exe can also be abused to [Bypass User Account Control](https://attack.mitre.org/techniques/T1088) and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2018-04-18T17:59:24.739Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'The Microsoft Connection Manager Profile Installer '
'(CMSTP.exe) is a command-line program used to install '
'Connection Manager service profiles. (Citation: Microsoft '
'Connection Manager Oct 2009) CMSTP.exe accepts an '
'installation information file (INF) as a parameter and '
'installs a service profile leveraged for remote access '
'connections.\n'
'\n'
'Adversaries may supply CMSTP.exe with INF files infected with '
'malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) '
'Similar to '
'[Regsvr32](https://attack.mitre.org/techniques/T1117) / '
'”Squiblydoo”, CMSTP.exe may be abused to load and execute '
'DLLs (Citation: MSitPros CMSTP Aug 2017) and/or COM '
'scriptlets (SCT) from remote servers. (Citation: Twitter '
'CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass '
'List) (Citation: Endurant CMSTP July 2018) This execution may '
'also bypass AppLocker and other whitelisting defenses since '
'CMSTP.exe is a legitimate, signed Microsoft application.\n'
'\n'
'CMSTP.exe can also be abused to [Bypass User Account '
'Control](https://attack.mitre.org/techniques/T1088) and '
'execute arbitrary commands from a malicious INF through an '
'auto-elevated COM interface. (Citation: MSitPros CMSTP Aug '
'2017) (Citation: GitHub Ultimate AppLocker Bypass List) '
'(Citation: Endurant CMSTP July 2018)',
'external_references': [{'external_id': 'T1191',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1191'},
{'description': 'Microsoft. (2009, October 8). How '
'Connection Manager Works. Retrieved '
'April 11, 2018.',
'source_name': 'Microsoft Connection Manager Oct '
'2009',
'url': 'https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc786431(v=ws.10)'},
{'description': 'Carr, N. (2018, January 31). Here is '
'some early bad cmstp.exe... '
'Retrieved April 11, 2018.',
'source_name': 'Twitter CMSTP Usage Jan 2018',
'url': 'https://twitter.com/ItsReallyNick/status/958789644165894146'},
{'description': 'Moe, O. (2017, August 15). Research '
'on CMSTP.exe. Retrieved April 11, '
'2018.',
'source_name': 'MSitPros CMSTP Aug 2017',
'url': 'https://msitpros.com/?p=3960'},
{'description': 'Tyrer, N. (2018, January 30). '
'CMSTP.exe - remote .sct execution '
'applocker bypass. Retrieved April '
'11, 2018.',
'source_name': 'Twitter CMSTP Jan 2018',
'url': 'https://twitter.com/NickTyrer/status/958450014111633408'},
{'description': 'Moe, O. (2018, March 1). Ultimate '
'AppLocker Bypass List. Retrieved '
'April 10, 2018.',
'source_name': 'GitHub Ultimate AppLocker Bypass '
'List',
'url': 'https://github.com/api0cradle/UltimateAppLockerByPassList'},
{'description': 'Seetharaman, N. (2018, July 7). '
'Detecting CMSTP-Enabled Code '
'Execution and UAC Bypass With '
'Sysmon.. Retrieved August 6, 2018.',
'source_name': 'Endurant CMSTP July 2018',
'url': 'http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/'}],
'id': 'attack-pattern--7d6f590f-544b-45b4-9a42-e0805f342af3',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'execution'}],
'modified': '2025-10-24T17:49:00.746Z',
'name': 'CMSTP',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': True,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Ye Yint Min Thu Htut, Offensive Security Team, DBS '
'Bank',
'Nik Seetharaman, Palantir'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_version': '1.1'}