Skip to content
Threat Feed
high advisory

Unusual Execution via Microsoft Common Console File

Adversaries may embed a malicious command in an MSC file to trick victims into executing malicious commands, leading to potential initial access, execution of malicious code, and defense evasion.

Attackers can embed malicious commands within Microsoft Common Console (MSC) files, which, when opened by a user, execute these commands. This technique is used to bypass traditional security measures and execute arbitrary code under the guise of a legitimate system process. The execution originates from mmc.exe, a signed Microsoft binary, making detection more challenging. While the specific campaigns leveraging this technique are not detailed in the source, the tactic is well-documented and can be used in conjunction with phishing or social engineering attacks to deliver the malicious MSC file. Successful exploitation can lead to initial access, code execution, and further compromise of the system. This approach is particularly effective against users who are not trained to recognize the risks associated with opening MSC files from untrusted sources.

Attack Chain

  1. An attacker crafts a malicious MSC file containing an embedded command or script.
  2. The MSC file is delivered to the victim via phishing, drive-by download, or other means.
  3. The victim opens the MSC file, which launches mmc.exe (Microsoft Management Console).
  4. mmc.exe executes the embedded malicious command or script.
  5. The malicious script may download and execute additional payloads (e.g., malware, backdoors).
  6. The attacker gains initial access and establishes persistence on the compromised system.
  7. The attacker performs lateral movement to other systems within the network.
  8. The attacker exfiltrates sensitive data or deploys ransomware.

Impact

A successful attack can lead to a full system compromise, including data theft, ransomware deployment, and disruption of services. The number of victims and specific sectors targeted are not available from the source, but the impact on individual organizations can be severe. If successful, this attack can bypass application control policies and traditional AV solutions, resulting in significant data loss and financial damage.

Recommendation

  • Enable Sysmon process creation logging to monitor for unusual child processes spawned by mmc.exe to activate the rule below.
  • Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect malicious MSC file execution.
  • Educate users about the risks of opening MSC files from untrusted sources to prevent initial access.

Detection coverage 2

Suspicious Child Process of MMC.exe

high

Detects suspicious child processes spawned by mmc.exe, indicating potential exploitation via malicious MSC files.

sigma tactics: execution techniques: T1204.002, T1218.014 sources: process_creation, windows

MMC.exe Loading Unsigned DLL

medium

Detects MMC.exe loading unsigned DLLs, which can be a sign of malicious activity.

sigma tactics: defense_evasion techniques: T1218.014 sources: image_load, windows

Detection queries are available on the platform. Get full rules →