{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/common-console-file/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Common Console File","Edge","Firefox","Chrome","Internet Explorer","Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["high"],"_cs_tags":["execution","initial-access","windows","msc"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Mozilla","Google","SentinelOne"],"content_html":"\u003cp\u003eAttackers are increasingly leveraging Microsoft Common Console (MSC) files to deliver malicious payloads. This technique involves embedding malicious commands within an MSC file and enticing victims to execute them, bypassing traditional security measures. The attack begins when a user opens a seemingly benign .msc file, which in turn executes a malicious child process. This approach is effective because MSC files are typically associated with legitimate system administration tools, making them less likely to be flagged by security software or arouse suspicion from users. This technique has been observed in various threat landscapes. It is important for defenders to monitor process execution and command-line arguments to detect and prevent such attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious .msc file containing an embedded command.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the .msc file to the victim via phishing or other social engineering tactics.\u003c/li\u003e\n\u003cli\u003eThe victim opens the .msc file, which is processed by \u003ccode\u003emmc.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emmc.exe\u003c/code\u003e executes a child process based on the embedded command, such as \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, or \u003ccode\u003emshta.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe child process executes a malicious script or downloads further payloads.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload may establish persistence, such as creating a scheduled task or modifying registry keys.\u003c/li\u003e\n\u003cli\u003eThe attacker gains initial access and control over the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement, data exfiltration, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to gain initial access and execute arbitrary code on compromised systems. This can lead to data theft, system compromise, and further malicious activities such as ransomware deployment. The execution of arbitrary code can enable adversaries to install backdoors, steal credentials, and move laterally within the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process execution for unusual child processes spawned by \u003ccode\u003emmc.exe\u003c/code\u003e with command-line arguments ending in \u003ccode\u003e.msc\u003c/code\u003e using the \u0026ldquo;Unusual Execution via Microsoft Common Console File\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to ensure visibility into process relationships and command-line arguments, which is crucial for detecting this type of attack.\u003c/li\u003e\n\u003cli\u003eReview and tune the provided Sigma rules to reduce false positives based on your environment\u0026rsquo;s legitimate usage of \u003ccode\u003e.msc\u003c/code\u003e files.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized or unknown executables, mitigating the impact of successful exploitation.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of opening untrusted files, especially those received via email or downloaded from the internet, to reduce the likelihood of initial compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-16T12:00:00Z","date_published":"2024-05-16T12:00:00Z","id":"/briefs/2024-05-msc-execution/","summary":"Adversaries may embed a malicious command in an MSC file in order to trick victims into executing malicious commands, leading to initial access and execution of arbitrary code.","title":"Unusual Execution via Microsoft Common Console File","url":"https://feed.craftedsignal.io/briefs/2024-05-msc-execution/"}],"language":"en","title":"CraftedSignal Threat Feed — Common Console File","version":"https://jsonfeed.org/version/1.1"}