As I was perusing MITRE’s ATT&CK framework the other day to learn about techniques I’m less familiar with, I came across the ambiguous-sounding CMSTP (T1191 in ATT&CK) which MITRE states can be used for UAC Bypass and code execution. Being that it’s also allegedly been used by a nation-state actor recently, I wanted to research potential detection strategies and wrap my head around possible blind spots.
Initial research yielded that CMSTP is an old remote access configuration tool that comes with a config wizard called the Config Manager Admin Kit. This wizard spits out, among other things, an INF configuration file that’s able to be weaponized along various dimensions.
Invoking the weaponized INF with CMSTP results in the ability to run both arbitrary scripts (local and remote) and bypass User Account Control to elevate security contexts from medium to high integrity.
Being that CMSTP is a legitimate signed Microsoft binary living in the System32 directory, the implication is an attacker could land on a system, utilize CMSTP to bypass poorly configured application whitelisting, and obtain elevated command shells or pull down arbitrary code remotely via WEBDAV.
For more background reading, Oddvar Moe wrote up some great research into how CMSTP works, which gave me a good baseline to build on.
This post will explore various considerations in trying to detect CMSTP exploitation along these various axes using Windows Sysinternals’ Sysmon tool configured with Swift on Security’s baseline configuration, found here.
CMSTP Abuse Vectors
I investigated detection strategies for three different categories of CMSTP abuse, all of which involve arbitrary code execution and two of which allow for code execution with UAC bypass:
- Invoking weaponized .INF setup files to run local or remote .SCT scripts containing malicious VBScript or JScript code.
- Invoking weaponized .INF files to run local executables while enabling UAC bypass / elevating integrity levels, allowing for spinup of elevated command shells.
- Direct utilization of the COM interfaces that CMSTP hooks into allowing for (slightly) stealthier UAC bypass.
Let’s dive into the detections considerations for each of these methods.
Method 1 – INF-SCT Launch
Bohops wrote a great article with some background and context around INF-SCT fetch and execute techniques here.
The gist is that the ‘UnRegisterOCXSection’ in the malicious INF file can be modified to invoke scrobj.dll and have it execute either a local or remotely fetched .SCT script containing malicious VBScript or JScript code.
Let’s take a look at an example (T1191.inf) pulled from the Atomic Red Team repo that maps to the CMSTP Mitre Technique (T1191):
Executing the command “cmstp.exe /s t1191.inf” will pull down and execute the SCT script located at https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1191/T1191.sct
That script (spawning what looks to be an Advanced Persistent Calculator) looks like so:
Digging into the Sysmon logs in Event Viewer after running the command, we see several Sysmon events generated. Notice that the spawned calc.exe has c:\windows\system32\cmstp.exe as the ParentImage and that the IntegrityLevel is Medium, i.e. no integrity elevation occurred.
Let’s now take a look at the Sysmon 3 Network Connections. One of the connections looks to be to localhost over a high number port. The other shows cmstp.exe as the Image calling out to 184.108.40.206 (Github) over 443.
It follows then, that potential Sysmon detection rules for Method 1 could be:
- Sysmon Event 1 where ParentImage contains cmstp.exe
- Sysmon Event 3 where Image contains cmstp.exe and DestinationIP is external
There are two other very solid methods at endurant.io that go deeper into the CMSTP and how to detect it’s abuse using sysmon.