Esc
CMSTP - T1218.003

(ATT&CK® Technique)
Definition

Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.
D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.
        graph LR;

     T1218003["CMSTP"] --> |may-produce| NetworkTraffic["Network Traffic"]; class T1218003 OffensiveTechniqueNode;
        class NetworkTraffic ArtifactNode; click NetworkTraffic href "/dao/artifact/d3f:NetworkTraffic";
        click T1218003 href "/offensive-technique/attack/T1218.003/"; click NetworkTraffic href "/dao/artifact/d3f:NetworkTraffic"; T1218003["CMSTP"] --> |invokes| CreateProcess["Create Process"]; class T1218003 OffensiveTechniqueNode;
        class CreateProcess ArtifactNode; click CreateProcess href "/dao/artifact/d3f:CreateProcess";
        click T1218003 href "/offensive-technique/attack/T1218.003/"; click CreateProcess href "/dao/artifact/d3f:CreateProcess";                          NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
          | analyzes | NetworkTraffic["Network Traffic"];

          NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
            | may-detect | T1218003["CMSTP"] ;
          class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
          class NetworkTraffic ArtifactNode;
          click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
          | analyzes | NetworkTraffic["Network Traffic"];

          Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
            | may-detect | T1218003["CMSTP"] ;
          class Client-serverPayloadProfiling DefensiveTechniqueNode;
          class NetworkTraffic ArtifactNode;
          click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
          | analyzes | NetworkTraffic["Network Traffic"];

          RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
            | may-detect | T1218003["CMSTP"] ;
          class RemoteTerminalSessionDetection DefensiveTechniqueNode;
          class NetworkTraffic ArtifactNode;
          click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection";                                        ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
          | analyzes | NetworkTraffic["Network Traffic"];

          ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
            | may-detect | T1218003["CMSTP"] ;
          class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
          class NetworkTraffic ArtifactNode;
          click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection";              PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
          | analyzes | NetworkTraffic["Network Traffic"];

          PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
            | may-detect | T1218003["CMSTP"] ;
          class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
          class NetworkTraffic ArtifactNode;
          click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis";            NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
          | analyzes | NetworkTraffic["Network Traffic"];

          NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
            | may-detect | T1218003["CMSTP"] ;
          class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
          class NetworkTraffic ArtifactNode;
          click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation";                UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
          | analyzes | NetworkTraffic["Network Traffic"];

          UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
            | may-detect | T1218003["CMSTP"] ;
          class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
          class NetworkTraffic ArtifactNode;
          click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; ProcessSpawnAnalysis["Process Spawn Analysis"] -->
          | analyzes | CreateProcess["Create Process"];

          ProcessSpawnAnalysis["Process Spawn Analysis"] -.->
            | may-detect | T1218003["CMSTP"] ;
          class ProcessSpawnAnalysis DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis";                           SystemCallAnalysis["System Call Analysis"] -->
          | analyzes | CreateProcess["Create Process"];

          SystemCallAnalysis["System Call Analysis"] -.->
            | may-detect | T1218003["CMSTP"] ;
          class SystemCallAnalysis DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis";              ExecutableDenylisting["Executable Denylisting"] -->
          | filters | CreateProcess["Create Process"];

          ExecutableDenylisting["Executable Denylisting"] -.->
            | may-isolate | T1218003["CMSTP"] ;
          class ExecutableDenylisting DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
          | restricts | CreateProcess["Create Process"];

          Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.->
            | may-isolate | T1218003["CMSTP"] ;
          class Hardware-basedProcessIsolation DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; ExecutableAllowlisting["Executable Allowlisting"] -->
          | filters | CreateProcess["Create Process"];

          ExecutableAllowlisting["Executable Allowlisting"] -.->
            | may-isolate | T1218003["CMSTP"] ;
          class ExecutableAllowlisting DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting";                                        SystemCallFiltering["System Call Filtering"] -->
          | filters | CreateProcess["Create Process"];

          SystemCallFiltering["System Call Filtering"] -.->
            | may-isolate | T1218003["CMSTP"] ;
          class SystemCallFiltering DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click SystemCallFiltering href "/technique/d3f:SystemCallFiltering";              NetworkTrafficFiltering["Network Traffic Filtering"] -->
          | filters | NetworkTraffic["Network Traffic"];

          NetworkTrafficFiltering["Network Traffic Filtering"] -.->
            | may-isolate | T1218003["CMSTP"] ;
          class NetworkTrafficFiltering DefensiveTechniqueNode;
          class NetworkTraffic ArtifactNode;
          click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering";
json