{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/microsoft-management-console-file/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Management Console File","Microsoft Defender XDR","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["execution","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers may exploit Microsoft Management Console (MMC) by executing .msc files from non-standard directories to bypass security controls. This technique can be used for initial access and execution. This detection focuses on identifying the execution of \u003ccode\u003emmc.exe\u003c/code\u003e with \u003ccode\u003e.msc\u003c/code\u003e files from paths outside the typical system directories, which are generally considered trusted. By monitoring process executions and filtering out known legitimate paths, analysts can identify potentially malicious activity related to the misuse of MMC. The rule aims to detect deviations from standard administrative practices that could indicate unauthorized access or command execution via malicious or compromised \u003ccode\u003e.msc\u003c/code\u003e files. The detection logic specifically excludes executions from common directories like \u003ccode\u003eSystem32\u003c/code\u003e, \u003ccode\u003eSysWOW64\u003c/code\u003e, and \u003ccode\u003eProgram Files\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through an unspecified method.\u003c/li\u003e\n\u003cli\u003eThe attacker places a malicious \u003ccode\u003e.msc\u003c/code\u003e file in an unusual or untrusted directory (e.g., \u003ccode\u003eC:\\Users\\Public\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003emmc.exe\u003c/code\u003e with the malicious \u003ccode\u003e.msc\u003c/code\u003e file as an argument from the untrusted path.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emmc.exe\u003c/code\u003e processes the \u003ccode\u003e.msc\u003c/code\u003e file, potentially executing embedded commands or scripts.\u003c/li\u003e\n\u003cli\u003eThe malicious \u003ccode\u003e.msc\u003c/code\u003e file performs unauthorized actions on the system, such as modifying system settings or executing arbitrary code.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the execution context of \u003ccode\u003emmc.exe\u003c/code\u003e to bypass security controls and escalate privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker may establish persistence by creating a scheduled task or modifying registry keys to execute the malicious \u003ccode\u003e.msc\u003c/code\u003e file automatically.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access, command execution, and privilege escalation, potentially compromising the entire system. While specific victim counts or sector targeting are not available, the technique is applicable across various Windows environments. The use of a trusted system binary like \u003ccode\u003emmc.exe\u003c/code\u003e for malicious purposes can evade traditional security measures, making detection more challenging.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eMicrosoft Management Console File from Unusual Path\u003c/code\u003e to detect the execution of \u003ccode\u003emmc.exe\u003c/code\u003e with \u003ccode\u003e.msc\u003c/code\u003e files from untrusted paths.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command-line arguments to provide the necessary data for the Sigma rule to function effectively.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the origin and content of the \u003ccode\u003e.msc\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eConsider implementing application control policies to restrict the execution of \u003ccode\u003e.msc\u003c/code\u003e files to authorized directories only.\u003c/li\u003e\n\u003cli\u003eReview and audit the use of MMC in the environment to identify any legitimate use cases that might trigger false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T10:00:00Z","date_published":"2024-07-03T10:00:00Z","id":"/briefs/2024-07-mmc-untrusted-path/","summary":"Adversaries may use Microsoft Management Console (MMC) files from untrusted paths to bypass security controls for initial access and execution on Windows systems.","title":"Microsoft Management Console File Execution from Unusual Path","url":"https://feed.craftedsignal.io/briefs/2024-07-mmc-untrusted-path/"}],"language":"en","title":"CraftedSignal Threat Feed — Microsoft Management Console File","version":"https://jsonfeed.org/version/1.1"}