Microsoft Management Console File Execution from Unusual Path
This rule identifies the execution of Microsoft Management Console (MMC) files from unusual paths, a technique adversaries may use to bypass security controls and execute malicious code.
This detection identifies attempts to execute Microsoft Management Console (MMC) files (.msc) from non-standard directories on Windows systems. The Microsoft Management Console is a legitimate Windows utility, but adversaries may abuse it to execute malicious .msc files from locations outside the typical system directories to evade detection. This technique, often associated with initial access or execution phases, allows attackers to bypass application whitelisting or other security measures that rely on standard file paths. The detection logic focuses on monitoring process executions involving mmc.exe with .msc files as arguments, specifically when these files are launched from paths outside the common system folders like C:\Windows\System32 or C:\Program Files.
Attack Chain
- An attacker gains initial access to a system through a phishing email or other means.
- The attacker drops a malicious
.mscfile in a non-standard directory (e.g.,C:\Users\Public\). - A user, possibly tricked by social engineering, executes
mmc.exewith the malicious.mscfile as an argument. mmc.exeparses and executes the embedded code within the.mscfile.- The malicious code performs actions such as downloading and executing a payload or modifying system settings.
- The payload establishes persistence through registry keys or scheduled tasks.
- The attacker gains remote access to the compromised system.
Impact
Successful exploitation leads to arbitrary code execution on the targeted system. The attacker can then perform various malicious activities, including data theft, lateral movement, or deployment of ransomware. Due to the legitimate nature of mmc.exe, this technique can bypass many traditional security controls, making it difficult to detect and prevent. The impact ranges from single workstation compromise to broader network infiltration depending on the attacker's objectives and the scope of the malicious .msc file's payload.
Recommendation
- Implement the provided Sigma rule to detect
mmc.exeexecution with.mscfiles from unusual paths and tune the rule based on your environment. - Enable Sysmon process creation logging to capture the necessary process execution details to activate the Sigma rule.
- Monitor process execution logs for instances of
mmc.exebeing launched with.mscfiles as arguments. - Investigate any alerts generated by the Sigma rule, prioritizing those associated with unusual user activity or high-risk systems.
Detection coverage 2
Microsoft Management Console File from Unusual Path
mediumDetects execution of Microsoft Management Console files from unusual paths, which could indicate malicious activity.
MMC.exe Loading Unsigned .msc File
mediumDetects mmc.exe loading a .msc file that is not digitally signed.
Detection queries are available on the platform. Get full rules →