DLL Loaded From Suspicious Location Via Cmspt.EXE

Detects cmstp loading "dll" or "ocx" files from suspicious locations

Sigma rule (View on GitHub)

 1title: DLL Loaded From Suspicious Location Via Cmspt.EXE
 2id: 75e508f7-932d-4ebc-af77-269237a84ce1
 3status: test
 4description: Detects cmstp loading "dll" or "ocx" files from suspicious locations
 5references:
 6    - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/TTPs/Defense%20Evasion/T1218%20-%20Signed%20Binary%20Proxy%20Execution/T1218.003%20-%20CMSTP/Procedures.yaml
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022/08/30
 9modified: 2023/02/17
10tags:
11    - attack.defense_evasion
12    - attack.t1218.003
13logsource:
14    category: image_load
15    product: windows
16detection:
17    selection:
18        Image|endswith: '\cmstp.exe'
19        ImageLoaded|contains:
20            # Add more suspicious paths as you see fit in your env
21            - '\PerfLogs\'
22            - '\ProgramData\'
23            - '\Users\'
24            - '\Windows\Temp\'
25            - 'C:\Temp\'
26        ImageLoaded|endswith:
27            - '.dll'
28            - '.ocx'
29    condition: selection
30falsepositives:
31    - Unikely
32level: high

References

Related rules

to-top