LOLBAS Cmstp Loading Files from Suspicious Location

Rule Info

Name
LOLBAS Cmstp Loading Files from Suspicious Location
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the execution of cmstp.exe, loading potentially malicious files from suspicious locations. Attackers may try to abuse the living off the land capability of the CMSTP utility to execute their malicious payloads. This technique is often used to evade detection and persist on the system.
Reference
https://x.com/anyrun_app/status/1889995000525512993
Date
2025-02-21 00:00:00
Modified
None
Id
9c0765cf-13fa-41b1-8dae-212f8d730c91
Tags
attack.defense-evasion attack.t1218.003 attack.t1548.002
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022