attack.t1218.003

Bypass UAC via CMSTP

Apr 28, 2026 · attack.privilege-escalation attack.stealth attack.t1548.002 attack.t1218.003 ·

Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files

CMSTP Execution Process Access

Apr 28, 2026 · attack.stealth attack.t1218.003 attack.execution attack.t1559.001 attack.g0069 attack.g0080 car.2019-04-001 ·

Share on:

Detects various indicators of Microsoft Connection Manager Profile Installer execution

CMSTP Execution Process Creation

Apr 28, 2026 · attack.execution attack.stealth attack.t1218.003 attack.g0069 car.2019-04-001 ·

Share on:

Detects various indicators of Microsoft Connection Manager Profile Installer execution

CMSTP Execution Registry Event

Apr 28, 2026 · attack.execution attack.stealth attack.t1218.003 attack.g0069 car.2019-04-001 ·

Share on:

Detects various indicators of Microsoft Connection Manager Profile Installer execution

CMSTP UAC Bypass via COM Object Access

Apr 28, 2026 · attack.execution attack.privilege-escalation attack.stealth attack.t1548.002 attack.t1218.003 attack.g0069 car.2019-04-001 ·

Share on:

Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)

DLL Loaded From Suspicious Location Via Cmspt.EXE

Apr 28, 2026 · attack.stealth attack.t1218.003 ·

Share on:

Detects cmstp loading "dll" or "ocx" files from suspicious locations

Outbound Network Connection Initiated By Cmstp.EXE

Apr 28, 2026 · attack.stealth attack.t1218.003 ·

Share on:

Detects a network connection initiated by Cmstp.EXE Its uncommon for "cmstp.exe" to initiate an outbound network connection. Investigate the source of such requests to determine if they are malicious.