Techniques
Sample rules
DLL Loaded From Suspicious Location Via Cmspt.EXE
- source: sigma
- technicques:
- t1218
- t1218.003
Description
Detects cmstp loading “dll” or “ocx” files from suspicious locations
Detection logic
condition: selection
selection:
ImageLoaded|contains:
- \PerfLogs\
- \ProgramData\
- \Users\
- \Windows\Temp\
- C:\Temp\
ImageLoaded|endswith:
- .dll
- .ocx
Image|endswith: \cmstp.exe