Skip to content

MISP galaxy

6f848e15 5234 4445 9a05 2949e4c57f0b

MISP galaxy

Home
Statistics
360net
360net
- 360.net Threat Actors
Ammunitions
Ammunitions
- Ammunitions
Android
Android
- Android
Atrm
Atrm
- Azure Threat Research Matrix
Attck4fraud
Attck4fraud
- attck4fraud
Backdoor
Backdoor
- Backdoor
Banker
Banker
- Banker
Bhadra framework
Bhadra framework
- Bhadra Framework
Botnet
Botnet
- Botnet
Branded vulnerability
Branded vulnerability
- Branded Vulnerability
Cancer
Cancer
- Cancer
Cert eu govsector
Cert eu govsector
- Cert EU GovSector
China defence universities
China defence universities
- China Defence Universities Tracker
Cmtmf attack pattern
Cmtmf attack pattern
- CONCORDIA Mobile Modelling Framework - Attack Pattern
Country
Country
- Country
Cryptominers
Cryptominers
- Cryptominers
Disarm actortypes
Disarm actortypes
- Actor Types
Disarm countermeasures
Disarm countermeasures
- Countermeasures
Disarm detections
Disarm detections
- Detections
Disarm techniques
Disarm techniques
- Techniques
Election guidelines
Election guidelines
- Election guidelines
Entity
Entity
- Entity
Exploit kit
Exploit kit
- Exploit-Kit
Firearms
Firearms
- Firearms
First csirt services framework
First csirt services framework
- FIRST CSIRT Services Framework
First dns
First dns
- FIRST DNS Abuse Techniques Matrix
Gsma motif
Gsma motif
- GSMA MoTIF
Handicap
Handicap
- Handicap
Intelligence agencies
Intelligence agencies
- Intelligence Agencies
Interpol dwva
Interpol dwva
- INTERPOL DWVA Taxonomy
Malpedia
Malpedia
- Malpedia
Microsoft activity group
Microsoft activity group
- Microsoft Activity Group actor
Misinfosec amitt misinformation pattern
Misinfosec amitt misinformation pattern
- Misinformation Pattern
Mitre atlas attack pattern
Mitre atlas attack pattern
- MITRE ATLAS Attack Pattern
Mitre atlas course of action
Mitre atlas course of action
- MITRE ATLAS Course of Action
Mitre attack pattern
Mitre attack pattern
- Attack Pattern
Mitre course of action
Mitre course of action
- Course of Action
Mitre d3fend
Mitre d3fend
- MITRE D3FEND
Mitre data component
Mitre data component
- mitre-data-component
Mitre data source
Mitre data source
- mitre-data-source
Mitre ics assets
Mitre ics assets
- Assets
Mitre ics groups
Mitre ics groups
- Groups
Mitre ics levels
Mitre ics levels
- Levels
Mitre ics software
Mitre ics software
- Software
Mitre ics tactics
Mitre ics tactics
- Tactics
Mitre intrusion set
Mitre intrusion set
- Intrusion Set
Mitre malware
Mitre malware
- Malware
Mitre tool
Mitre tool
- mitre-tool
Nace
Nace
- NACE
Naics
Naics
- NAICS
Nice framework competency areas
Nice framework competency areas
- NICE Competency areas
Nice framework knowledges
Nice framework knowledges
- NICE Knowledges
Nice framework opm codes
Nice framework opm codes
- OPM codes in cybersecurity
Nice framework skills
Nice framework skills
- NICE Skills
Nice framework tasks
Nice framework tasks
- NICE Tasks
Nice framework work roles
Nice framework work roles
- NICE Work Roles
O365 exchange techniques
O365 exchange techniques
- o365-exchange-techniques
Online service
Online service
- online-service
Preventive measure
Preventive measure
- Preventive Measure
Producer
Producer
- Producer
Ransomware
Ransomware
- Ransomware
Rat
Rat
- RAT
Region
Region
- Regions UN M49
Rsit
Rsit
- rsit
Sector
Sector
- Sector
Sigma rules
Sigma rules
- Sigma-Rules
Social dark patterns
Social dark patterns
- Dark Patterns
Sod matrix
Sod matrix
- SoD Matrix
Stealer
Stealer
- Stealer
Surveillance vendor
Surveillance vendor
- Surveillance Vendor
Target information
Target information
- Target Information
Tds
Tds
- TDS
Tea matrix
Tea matrix
- Tea Matrix
Threat actor
Threat actor
- Threat Actor
Tidal campaigns
Tidal campaigns
- Tidal Campaigns
Tidal groups
Tidal groups
- Tidal Groups
Tidal references
Tidal references
- Tidal References
Tidal software
Tidal software
- Tidal Software
Tidal tactic
Tidal tactic
- Tidal Tactic
Tidal technique
Tidal technique
- Tidal Technique
Tmss
Tmss
- Threat Matrix for storage services
Tool
Tool
- Tool
Uavs
Uavs
- UAVs/UCAVs
Ukhsa culture collections
Ukhsa culture collections
- UKHSA Culture Collections

Hide Navigation Hide TOC

Cmstp (6f848e15-5234-4445-9a05-2949e4c57f0b)

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Installs or removes a Connection Manager service profile.

Author: Oddvar Moe

Paths: * C:\Windows\System32\cmstp.exe * C:\Windows\SysWOW64\cmstp.exe

Resources: * https://twitter.com/NickTyrer/status/958450014111633408 * https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80 * https://gist.github.com/api0cradle/cf36fd40fa991c3a6f7755d1810cc61e * https://oddvar.moe/2017/08/15/research-on-cmstp-exe/ * https://gist.githubusercontent.com/tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1/raw/3127ba7453a6f6d294cd422386cae1a5a2791d71/UACBypassCMSTP.ps1 * https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmstp

Detection: * Sigma: proc_creation_win_cmstp_execution_by_creation.yml * Sigma: proc_creation_win_uac_bypass_cmstp.yml * Splunk: cmlua_or_cmstplua_uac_bypass.yml * Elastic: defense_evasion_suspicious_managedcode_host_process.toml * Elastic: defense_evasion_unusual_process_network_connection.toml * IOC: Execution of cmstp.exe without a VPN use case is suspicious * IOC: DotNet CLR libraries loaded into cmstp.exe * IOC: DotNet CLR Usage Log - cmstp.exe.log^{[Cmstp.exe - LOLBAS Project]}

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Cmstp (6f848e15-5234-4445-9a05-2949e4c57f0b)	Tidal Software	Cobalt Group (58db02e6-d908-47c2-bc82-ed58ada61331)	Tidal Groups	1