Adversaries may use cmstp.exe to load malicious DLLs from suspicious locations to execute arbitrary code and maintain persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise and prevent lateral movement.
Detection Rule
title: DLL Loaded From Suspicious Location Via Cmspt.EXE
id: 75e508f7-932d-4ebc-af77-269237a84ce1
status: test
description: Detects cmstp loading "dll" or "ocx" files from suspicious locations
references:
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/TTPs/Defense%20Evasion/T1218%20-%20Signed%20Binary%20Proxy%20Execution/T1218.003%20-%20CMSTP/Procedures.yaml
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-30
modified: 2023-02-17
tags:
- attack.defense-evasion
- attack.t1218.003
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\cmstp.exe'
ImageLoaded|contains:
# Add more suspicious paths as you see fit in your env
- '\PerfLogs\'
- '\ProgramData\'
- '\Users\'
- '\Windows\Temp\'
- 'C:\Temp\'
ImageLoaded|endswith:
- '.dll'
- '.ocx'
condition: selection
falsepositives:
- Unikely
level: high
DeviceImageLoadEvents
| where InitiatingProcessFolderPath endswith "\\cmstp.exe" and (FolderPath contains "\\PerfLogs\\" or FolderPath contains "\\ProgramData\\" or FolderPath contains "\\Users\\" or FolderPath contains "\\Windows\\Temp\\" or FolderPath contains "C:\\Temp\\") and (FolderPath endswith ".dll" or FolderPath endswith ".ocx")Scenario: Scheduled System Update via Windows Update
Description: Windows Update may use cmspt.exe to load DLLs from a trusted Microsoft location as part of a system update process.
Filter/Exclusion: Exclude processes where the parent process is svchost.exe and the command line includes wuauclt.exe or wuauserv.
Scenario: Microsoft Intune Agent Configuration
Description: The Microsoft Intune agent may use cmspt.exe to load configuration DLLs from a legitimate Microsoft endpoint during policy application.
Filter/Exclusion: Exclude processes where the parent process is msiexec.exe or intunewsm.exe and the DLL path is within a known Microsoft enterprise distribution path.
Scenario: Admin Task to Load Custom DLL for Reporting
Description: An administrator may manually run cmspt.exe to load a custom DLL for internal reporting or analytics tools.
Filter/Exclusion: Exclude processes where the user is a domain admin and the DLL path is within a known internal tooling directory (e.g., C:\Tools\Reporting).
Scenario: Legacy Software Compatibility Tool
Description: Some legacy enterprise software may use cmspt.exe to load compatibility DLLs from a non-standard location during runtime.
Filter/Exclusion: Exclude processes where the parent process is a known legacy application (e.g., LegacyApp.exe) and the DLL path is within a designated compatibility directory.
Scenario: Malware Analysis Lab Environment
Description: In a sandboxed malware analysis environment, cmspt.exe may be used to load test DLLs from a controlled, non-malicious location.
Filter/Exclusion: Exclude processes where the process is running in a VM or container and the DLL path is within a known lab environment directory