DFSP # 400 - CMSTP
This week I am going to focus on a specific remote execution technique that you may see in the wild. Remote execution is important for incident response investigations but also for file use and knowledge investigations, particularly those that conducted due diligence exams for evidence of malware. I have covered remote execution in the past from different angles and I have done so because it is one of the red flags that an analyst should be looking for. In order to be effective in recognizing either an actual malicious execution or the risk of an attempted remote execution you must be reversed in the clever ways attackers attempt to compromise a host using Microsoft applications. The highlight this week will be CMSTP.exe abuse...