LOLBAS-Project · ghosts621 · Feb 22, 2026 · Feb 22, 2026 · Feb 22, 2026 · Feb 22, 2026
@@ -23,6 +23,13 @@ Commands:
     Tags:
       - Execute: INF
       - Execute: Remote
+  - Command: REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\cmmgr32.exe" /v CmstpExtensionDll /t REG_SZ /d "{PATH_ABSOLUTE:.dll}" /f & cmstp.exe /nf
+    Description: cmstp.exe reads the CmstpExtensionDll registry value and passes its data directly to LoadLibrary. By modifying this registry key, an attacker can sideload an arbitrary DLL.
+    Usecase: Proxy execution of a malicious DLL via registry modification.
+    Category: Execute
+    Privileges: Administrator
+    MitreID: T1218.003
+    OperatingSystem: Windows 10, Windows 11
 Full_Path:
   - Path: C:\Windows\System32\cmstp.exe
   - Path: C:\Windows\SysWOW64\cmstp.exe
@@ -35,15 +42,19 @@ Detection:
   - IOC: Execution of cmstp.exe without a VPN use case is suspicious
   - IOC: DotNet CLR libraries loaded into cmstp.exe
   - IOC: DotNet CLR Usage Log - cmstp.exe.log
+  - IOC: Registry modification to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\cmmgr32.exe\CmstpExtensionDll
 Resources:
   - Link: https://twitter.com/NickTyrer/status/958450014111633408
   - Link: https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80
   - Link: https://gist.github.com/api0cradle/cf36fd40fa991c3a6f7755d1810cc61e
   - Link: https://oddvar.moe/2017/08/15/research-on-cmstp-exe/
   - Link: https://gist.githubusercontent.com/tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1/raw/3127ba7453a6f6d294cd422386cae1a5a2791d71/UACBypassCMSTP.ps1
   - Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmstp
+  - Link: https://gist.github.com/ghosts621/ea8ad5b8a0904dd40b33f01f0e8285dc
 Acknowledgement:
   - Person: Oddvar Moe
     Handle: '@oddvarmoe'
   - Person: Nick Tyrer
     Handle: '@NickTyrer'
+  - Person: Naor Evgi
+    Handle: '@ghosts621'
@@ -13,15 +13,32 @@ Commands:
     OperatingSystem: Windows
     Tags:
       - Execute: EXE
+  - Command: copy C:\Windows\System32\dxcap.exe %TEMP%\dxcap.exe & copy calc.exe %TEMP%\Xperf.exe & %TEMP%\dxcap.exe -usage
+    Description: dxcap.exe attempts to execute Xperf.exe from the current directory or its own directory. By placing a malicious Xperf.exe alongside a copied dxcap.exe, an attacker can achieve proxy execution with standard user privileges.
+    Usecase: Proxy execution of malicious code by hijacking the Xperf.exe call.
+    Category: Execute
+    Privileges: User
+    MitreID: T1127
+    OperatingSystem: Windows 10, Windows 11
+    Tags:
+      - Execute: EXE
 Full_Path:
   - Path: C:\Windows\System32\dxcap.exe
   - Path: C:\Windows\SysWOW64\dxcap.exe
+Code_Sample:
+  - Code: https://gist.github.com/ghosts621/1d0e0f43f7288c826035d5d011b6ca51
 Detection:
   - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml
+  - IOC: dxcap.exe executing from outside of System32/SysWOW64
+  - IOC: dxcap.exe spawning Xperf.exe
+  - IOC: Xperf.exe executing from unusual directories (if not running from ADK path)
 Resources:
   - Link: https://twitter.com/harr0ey/status/992008180904419328
+  - Link: https://github.com/ghosts621
 Acknowledgement:
   - Person: Matt harr0ey
     Handle: '@harr0ey'
   - Person: Vikas Singh
     Handle: '@vikas891'
+  - Person: Naor Evgi
+    Handle: '@ghosts621'