detection.wiki

Detection rules › Sigma

DLL Loaded From Suspicious Location Via Cmspt.EXE

Severity
high
Author
Nasreddine Bencherchali (Nextron Systems)
Source
upstream

Detects cmstp loading "dll" or "ocx" files from suspicious locations

MITRE ATT&CK coverage

TacticTechniques
Defense EvasionT1218.003 System Binary Proxy Execution: CMSTP

Event coverage

ProviderEvent IDTitle
Sysmon7Image loaded

Stages and Predicates

Stage 1: selection

or:
ImageLoaded|endswith: .dll
ImageLoaded|endswith: .ocx
or:
ImageLoaded|contains: 'C:\Temp\'
ImageLoaded|contains: '\PerfLogs\'
ImageLoaded|contains: '\ProgramData\'
ImageLoaded|contains: '\Users\'
ImageLoaded|contains: '\Windows\Temp\'
Image|endswith: '\cmstp.exe'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Imageends_with
  • \cmstp.exe corpus 9 (sigma 9)
ImageLoadedends_with
  • .dll corpus 3 (sigma 3)
  • .ocx
ImageLoadedmatch
  • C:\Temp\
  • \PerfLogs\
  • \ProgramData\ corpus 3 (sigma 3)
  • \Users\
  • \Windows\Temp\ corpus 2 (sigma 2)