detection.wiki

System Binary Proxy Execution: MMC T1218.014

Tactic: Stealth

Adversaries may abuse mmc.exe to proxy execution of malicious .msc files. Microsoft Management Console (MMC) is a binary that may be signed by Microsoft and is used in several ways in either its GUI or in a command prompt. MMC can be used to create, open, and save custom consoles that contain administrative tools created by Microsoft, called snap-ins. These snap-ins may be used to manage Windows systems locally or remotely. MMC can also be used to open Microsoft created .msc files to manage system configuration.

Events covered

27 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
SysmonEvent ID 3Network connection
SysmonEvent ID 7Image loaded
SysmonEvent ID 8CreateRemoteThread
SysmonEvent ID 11FileCreate
Security-AuditingEvent ID 4663An attempt was made to access an object.
Security-AuditingEvent ID 4688A new process has been created.
Defender-DeviceEventsCreateRemoteThreadApiCallCreateRemoteThread API call
Defender-DeviceEventsClrUnbackedModuleLoadedCLR unbacked module loaded
Defender-DeviceEventsNtAllocateVirtualMemoryRemoteApiCallRemote virtual memory allocation (NtAllocateVirtualMemory)
Defender-DeviceEventsMemoryRemoteProtectRemote virtual memory protection change
Defender-DeviceEventsNtMapViewOfSectionRemoteApiCallRemote section map (NtMapViewOfSection)
Defender-DeviceEventsQueueUserApcRemoteApiCallRemote APC queued (QueueUserApc)
Defender-DeviceEventsSetThreadContextRemoteApiCallRemote thread context change (SetThreadContext)
Defender-DeviceEventsReadProcessMemoryApiCallReadProcessMemory API call
Defender-DeviceFileEventsFileCreatedFile created
Defender-DeviceFileEventsFileRenamedFile renamed
Defender-DeviceProcessEventsProcessCreatedProcess created
DotNETRuntimeEvent ID 152ModuleID=ModuleID.
PowerShellEvent ID 4103Payload Context: ContextInfo User Data: UserData.
PowerShellEvent ID 4104Creating Scriptblock text (MessageNumber of MessageTotal).
Threat-IntelligenceEvent ID 1Remote Virtual Memory Allocation
Threat-IntelligenceEvent ID 2Remote Virtual Memory Protection Change
Threat-IntelligenceEvent ID 3Remote Section Map
Threat-IntelligenceEvent ID 4Remote APC Queue
Threat-IntelligenceEvent ID 5Remote Thread Context Change
Threat-IntelligenceEvent ID 11Local Virtual Memory Read

Authoring guide

Patterns shared across the 22 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (28 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
EventID9eq 91, 4688, 4103, 4104, 4663
parent_process_name8eq 5, in 2, match 2mmc.exe, (?i)mmc\.exe, cscript.exe, mshta.exe, services.exe
process_name6eq 3, in 2, ends_with 1, ne 1mmc.exe, :\\windows\\system32\\mmc.exe, at.exe, atbroker.exe, bash.exe
CommandLine5contains 2, in 2, regex_match 2(?i)\.msc, *:\\Windows\\Cursors\\*, *:\\Windows\\INF\\*, *:\\Windows\\Media\\*, *powershell*
Image4ends_with 3, wildcard 1\mmc.exe, ?:\windows\system32\mmc.exe, \\mmc.exe, \device\harddiskvolume*\windows\system32\mmc.exe
event.type4eq 4start
EventType3eq 2, in 1ClrUnbackedModuleLoaded, CreateRemoteThreadApiCall, MemoryRemoteProtect, NtAllocateVirtualMemoryRemoteApiCall, ProcessCreated
Type3eq 3
ImageLoaded2ends_with 2.dll, \jscript.dll, \jscript9.dll, \vbscript.dll
process.parent.args2ends_with 1, eq 1.msc, WF.msc
AccessList1eq 1%%4416
Channel1eq 1, in 1
Company1ne 1Microsoft Corporation
DestinationPort1ge 149152
Initiated1eq 1incoming, ingress

Top indicator values (153 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
event.typeeq
start
4606
parent_process_nameeq
mmc.exe
45
EventIDeq
1
3237
EventIDeq
4688
3313
CommandLineregex_match
(?i)\.msc
22
Imageends_with
\mmc.exe
25
parent_process_namein
mmc.exe
24
parent_process_namematch
(?i)mmc\.exe
22
process_nameeq
mmc.exe
27
AccessListeq
%%4416
12
CommandLinecontains
.msc
1
CommandLinecontains
cod.msc
1
CommandLinecontains
fdp.msc
1
CommandLinecontains
ftr.msc
1
CommandLinecontains
lmth.msc
1
CommandLinecontains
slx.msc
1
CommandLinecontains
tdo.msc
1
CommandLinecontains
xcod.msc
1
CommandLinecontains
xslx.msc
1
CommandLinecontains
xtpp.msc
1
CommandLinein
*:\\Windows\\Cursors\\*
1
CommandLinein
*:\\Windows\\INF\\*
1
CommandLinein
*:\\Windows\\Media\\*
1
CommandLinein
*:\\Windows\\Prefetch\\*
1
CommandLinein
*:\\Windows\\debug\\*
1
CommandLinein
*:\\Windows\\fonts\\*
1
CommandLinein
*:\\Windows\\repair\\*
1
CommandLinein
*:\\Windows\\servicing\\*
1
CommandLinein
*Recycle.bin*
12
CommandLinein
*\\Download*
1

Exclusions (34 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
CommandLineregex_match
(?i)C:\x5cWindows\x5c(system32|syswow64)\x5c\w+\.msc
2
process_namematch
(?i):\x5c(windows\x5c(system32|syswow64)\x5c(mmc|wermgr|werfault)\.exe)|progr...
2
CommandLinecontains
c:\\windows\\ccm\\
1
CommandLinein
*C:\\Windows\\System32\\certmgr.msc*
1
CommandLinein
*C:\\Windows\\System32\\eventvwr.msc*
1
CommandLinematch
(?i):\x5c(Windows\x5c(System32|SysWOW64)\x5c(wermgr|WerFault)\.exe)
1
CommandLinestarts_with
"C:\WINDOWS\system32\mmc.exe" "C:\Windows\System32\gpme.msc" /s /gpobject:"LDAP://
1
CommandLinewildcard
"C:\Windows\System32\mmc.exe" CompMgmt.msc*
1
CommandLinewildcard
C:\Windows\system32\mmc.exe eventvwr.msc /s
1
CommandLinewildcard
mmc.exe eventvwr.msc /s
1
Imageeq
?:\program files (x86)\microsoft\edge\application\msedge.exe
1
Imageeq
?:\program files\google\chrome\application\chrome.exe
1
Imageeq
?:\program files\internet explorer\iexplore.exe
1
Imageeq
?:\program files\mozilla firefox\firefox.exe
1
Imageeq
?:\windows\system32\mmc.exe
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Sigma 2 rules

Elastic 4 rules

Splunk 13 rules

Kusto 3 rules