Skip to content
Threat Feed
medium advisory

Microsoft Management Console File Execution from Unusual Path

This rule identifies the execution of Microsoft Management Console (MMC) files from unusual paths, a technique adversaries may use to bypass security controls and execute malicious code.

This detection identifies attempts to execute Microsoft Management Console (MMC) files (.msc) from non-standard directories on Windows systems. The Microsoft Management Console is a legitimate Windows utility, but adversaries may abuse it to execute malicious .msc files from locations outside the typical system directories to evade detection. This technique, often associated with initial access or execution phases, allows attackers to bypass application whitelisting or other security measures that rely on standard file paths. The detection logic focuses on monitoring process executions involving mmc.exe with .msc files as arguments, specifically when these files are launched from paths outside the common system folders like C:\Windows\System32 or C:\Program Files.

Attack Chain

  1. An attacker gains initial access to a system through a phishing email or other means.
  2. The attacker drops a malicious .msc file in a non-standard directory (e.g., C:\Users\Public\).
  3. A user, possibly tricked by social engineering, executes mmc.exe with the malicious .msc file as an argument.
  4. mmc.exe parses and executes the embedded code within the .msc file.
  5. The malicious code performs actions such as downloading and executing a payload or modifying system settings.
  6. The payload establishes persistence through registry keys or scheduled tasks.
  7. The attacker gains remote access to the compromised system.

Impact

Successful exploitation leads to arbitrary code execution on the targeted system. The attacker can then perform various malicious activities, including data theft, lateral movement, or deployment of ransomware. Due to the legitimate nature of mmc.exe, this technique can bypass many traditional security controls, making it difficult to detect and prevent. The impact ranges from single workstation compromise to broader network infiltration depending on the attacker's objectives and the scope of the malicious .msc file's payload.

Recommendation

  • Implement the provided Sigma rule to detect mmc.exe execution with .msc files from unusual paths and tune the rule based on your environment.
  • Enable Sysmon process creation logging to capture the necessary process execution details to activate the Sigma rule.
  • Monitor process execution logs for instances of mmc.exe being launched with .msc files as arguments.
  • Investigate any alerts generated by the Sigma rule, prioritizing those associated with unusual user activity or high-risk systems.

Detection coverage 2

Microsoft Management Console File from Unusual Path

medium

Detects execution of Microsoft Management Console files from unusual paths, which could indicate malicious activity.

sigma tactics: execution techniques: T1218.014 sources: process_creation, windows

MMC.exe Loading Unsigned .msc File

medium

Detects mmc.exe loading a .msc file that is not digitally signed.

sigma tactics: execution techniques: T1218.014 sources: image_load, windows

Detection queries are available on the platform. Get full rules →