DLL Loaded From Suspicious Location Via Cmspt.EXE
Detects cmstp loading "dll" or "ocx" files from suspicious locations
Sigma rule (View on GitHub)
1title: DLL Loaded From Suspicious Location Via Cmspt.EXE
2id: 75e508f7-932d-4ebc-af77-269237a84ce1
3status: test
4description: Detects cmstp loading "dll" or "ocx" files from suspicious locations
5references:
6 - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/TTPs/Defense%20Evasion/T1218%20-%20Signed%20Binary%20Proxy%20Execution/T1218.003%20-%20CMSTP/Procedures.yaml
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-08-30
9modified: 2023-02-17
10tags:
11 - attack.defense-evasion
12 - attack.t1218.003
13logsource:
14 category: image_load
15 product: windows
16detection:
17 selection:
18 Image|endswith: '\cmstp.exe'
19 ImageLoaded|contains:
20 # Add more suspicious paths as you see fit in your env
21 - '\PerfLogs\'
22 - '\ProgramData\'
23 - '\Users\'
24 - '\Windows\Temp\'
25 - 'C:\Temp\'
26 ImageLoaded|endswith:
27 - '.dll'
28 - '.ocx'
29 condition: selection
30falsepositives:
31 - Unikely
32level: high
References
Related rules
- Bypass UAC via CMSTP
- CMSTP Execution Process Access
- CMSTP Execution Process Creation
- CMSTP Execution Registry Event
- Outbound Network Connection Initiated By Cmstp.EXE