T1218.014 MMC Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "mmc.exe"
| extend HasMSC = ProcessCommandLine has ".msc"
| extend SuspiciousPath = ProcessCommandLine has_any ("Temp", "AppData", "Downloads", "Public", "Desktop", "ProgramData")
| extend RemoteMSC = ProcessCommandLine has_any ("http://", "https://", "\\\\")
| extend SuspiciousParent = InitiatingProcessFileName has_any ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "winword.exe", "excel.exe", "outlook.exe")
| where (HasMSC and SuspiciousPath) or RemoteMSC or SuspiciousParent
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName,
         InitiatingProcessCommandLine, HasMSC, SuspiciousPath, RemoteMSC, SuspiciousParent
| sort by Timestamp desc
union (
  DeviceProcessEvents
  | where Timestamp > ago(24h)
  | where InitiatingProcessFileName =~ "mmc.exe"
  | where FileName in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "net.exe", "netsh.exe")
  | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
           InitiatingProcessFileName, InitiatingProcessCommandLine
  | sort by Timestamp desc
)

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

IT administrators launching MMC with custom .msc console files from network shares for administrative tasks
Software that creates custom MMC snap-ins and opens them via mmc.exe during installation or operation
Group Policy management tools and Active Directory administration utilities that use custom .msc files
Enterprise monitoring solutions that use MMC snap-ins for management interfaces

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(Image="*\\mmc.exe" OR ParentImage="*\\mmc.exe")
| eval HasMSC=if(match(CommandLine, "\.msc"), 1, 0)
| eval SuspiciousPath=if(match(CommandLine, "(Temp|AppData|Downloads|Public|Desktop|ProgramData)"), 1, 0)
| eval RemoteMSC=if(match(CommandLine, "(http[s]?://|\\\\\\\\[a-zA-Z])"), 1, 0)
| eval SuspiciousParent=if(match(ParentImage, "(cmd|powershell|wscript|cscript|mshta|winword|excel|outlook)\.exe"), 1, 0)
| eval SuspiciousChild=if(ParentImage="*\\mmc.exe" AND match(Image, "(cmd|powershell|wscript|cscript|net|netsh)\.exe"), 1, 0)
| eval RiskScore=(HasMSC * SuspiciousPath) + RemoteMSC + SuspiciousParent + SuspiciousChild
| where RiskScore > 0 OR SuspiciousChild=1
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, HasMSC, SuspiciousPath, RemoteMSC, SuspiciousParent, SuspiciousChild, RiskScore
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

IT administrators launching MMC with custom .msc console files from network shares
Software creating custom MMC snap-ins during installation
Group Policy and Active Directory administration utilities using custom .msc files
Enterprise monitoring solutions using MMC snap-ins

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
  [process where event.type == "start" and process.name : "mmc.exe" and
   (
     (process.args : "*.msc" and process.args : ("*Temp*", "*AppData*", "*Downloads*", "*Public*", "*Desktop*", "*ProgramData*")) or
     process.args : ("http://*", "https://*", "\\\\*") or
     process.parent.name : ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "winword.exe", "excel.exe", "outlook.exe")
   )
  ] by process.pid
  [process where event.type == "start" and
   process.parent.name : "mmc.exe" and
   process.name : ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "net.exe", "netsh.exe")
  ] by process.parent.pid

high severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Elastic Agent (endpoint integration)

Required Tables

logs-endpoint.events.process-* winlogbeat-*

False Positives

Legitimate IT administrators opening custom .msc consoles stored in user profile directories such as AppData for convenience
Software deployment tools (SCCM, Ansible, PDQ Deploy) that invoke mmc.exe with .msc files from temp staging directories
Help desk or remote support workflows that programmatically launch MMC snap-ins via cmd.exe or PowerShell for automated configuration tasks

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip,
  username,
  "Image" AS process_image,
  "CommandLine" AS command_line,
  "ParentImage" AS parent_image,
  "ParentCommandLine" AS parent_command_line,
  CASE
    WHEN LOWER("CommandLine") MATCHES REGEX '.*\.msc.*' AND LOWER("CommandLine") MATCHES REGEX '.*(temp|appdata|downloads|public|desktop|programdata).*' THEN 1 ELSE 0
  END +
  CASE
    WHEN "CommandLine" MATCHES REGEX '.*(https?://|\\\\\\\\[a-zA-Z]).*' THEN 1 ELSE 0
  END +
  CASE
    WHEN LOWER("ParentImage") MATCHES REGEX '.*(cmd|powershell|wscript|cscript|mshta|winword|excel|outlook)\.exe' THEN 1 ELSE 0
  END AS risk_score
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13) -- Sysmon / Windows Security
  AND QIDNAME(qid) IN ('Process Create', 'ProcessCreate')
  AND (
    (LOWER("Image") LIKE '%\\mmc.exe' AND (
      (LOWER("CommandLine") MATCHES REGEX '.*\.msc.*' AND LOWER("CommandLine") MATCHES REGEX '.*(temp|appdata|downloads|public|desktop|programdata).*')
      OR "CommandLine" MATCHES REGEX '.*(https?://|\\\\\\\\).*'
      OR LOWER("ParentImage") MATCHES REGEX '.*(cmd|powershell|wscript|cscript|mshta|winword|excel|outlook)\.exe'
    ))
    OR (
      LOWER("ParentImage") LIKE '%\\mmc.exe'
      AND LOWER("Image") MATCHES REGEX '.*(cmd|powershell|wscript|cscript|net|netsh)\.exe'
    )
  )
  AND DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') > DATEADD('hour', -24, NOW())
ORDER BY starttime DESC
LIMIT 500

high severity medium confidence

Data Sources

IBM QRadar with Sysmon DSM IBM QRadar with Microsoft Windows Security Event Log DSM

Required Tables

events

False Positives

Authorized IT administrators using PowerShell scripts to automate MMC console launches for bulk configuration tasks across fleets
Security tooling or EDR products that spawn MMC snap-ins as part of host-based firewall or policy management
Enterprise management platforms (e.g., Microsoft RSAT) that invoke mmc.exe with administrative snap-ins from non-standard paths during provisioning

Sumo Logic CSE

sql

_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security"
| json auto
| where EventID = "1" or EventCode = "1"
| where (toLower(Image) matches "*\\mmc.exe" or toLower(ParentImage) matches "*\\mmc.exe")
| eval has_msc = if(matches(CommandLine, "(?i)\.msc"), 1, 0)
| eval suspicious_path = if(matches(CommandLine, "(?i)(Temp|AppData|Downloads|Public|Desktop|ProgramData)"), 1, 0)
| eval remote_msc = if(matches(CommandLine, "(?i)(https?://|\\\\\\\\[a-zA-Z])"), 1, 0)
| eval suspicious_parent = if(matches(ParentImage, "(?i)(cmd|powershell|wscript|cscript|mshta|winword|excel|outlook)\.exe"), 1, 0)
| eval suspicious_child = if(toLower(ParentImage) matches "*\\mmc.exe" and matches(Image, "(?i)(cmd|powershell|wscript|cscript|net|netsh)\.exe"), 1, 0)
| eval risk_score = (has_msc * suspicious_path) + remote_msc + suspicious_parent + suspicious_child
| where risk_score > 0 or suspicious_child = 1
| fields _messagetime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, has_msc, suspicious_path, remote_msc, suspicious_parent, suspicious_child, risk_score
| sort by _messagetime desc

high severity high confidence

Data Sources

Sumo Logic Installed Collector with Sysmon source Sumo Logic Windows Event Log source

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=windows/security

False Positives

IT operations scripts that call mmc.exe from PowerShell during scheduled maintenance windows to apply Group Policy or manage services
Software packaging workflows where installers stage .msc files in TEMP or ProgramData directories and launch them via cmd.exe for configuration
Vendor-supplied management utilities (e.g., storage or network appliance management consoles) that rely on MMC snap-ins and launch via Office macros or helper scripts

Google Chronicle / SecOps

yaral

rule mmc_suspicious_execution_t1218_014 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects MMC.exe abuse for proxy execution via malicious .msc files (T1218.014). Covers suspicious path loading, remote MSC, malicious parent processes, and dangerous child process spawning."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1218.014"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"
    created = "2026-04-13"

  events:
    (
      // MMC loading suspicious .msc or spawned by suspicious parent
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and re.regex($e1.target.process.file.full_path, `(?i)\\mmc\.exe$`)
      and (
        (
          re.regex($e1.target.process.command_line, `(?i)\.msc`) and
          re.regex($e1.target.process.command_line, `(?i)(Temp|AppData|Downloads|Public|Desktop|ProgramData)`)
        ) or
        re.regex($e1.target.process.command_line, `(?i)(https?://|\\\\[a-zA-Z])`) or
        re.regex($e1.principal.process.file.full_path, `(?i)(cmd|powershell|wscript|cscript|mshta|winword|excel|outlook)\.exe$`)
      )
    ) or
    (
      // MMC spawning dangerous child processes
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and re.regex($e1.principal.process.file.full_path, `(?i)\\mmc\.exe$`)
      and re.regex($e1.target.process.file.full_path, `(?i)(cmd|powershell|wscript|cscript|net|netsh)\.exe$`)
    )

  condition:
    $e1
}

high severity high confidence

Data Sources

Google Chronicle with Windows Sysmon forwarder Google Chronicle with Microsoft Defender for Endpoint

Required Tables

UDM Events — PROCESS_LAUNCH type

False Positives

Enterprise IT automation platforms that generate MMC executions with PowerShell parent processes as part of approved change management procedures
Security operations tooling that uses MMC snap-ins for host inspection and may spawn cmd.exe for supplemental data collection
Third-party endpoint management agents that store and launch .msc files from ProgramData or AppData directories for device management tasks

CrowdStrike LogScale (CQL)

cql

// T1218.014 — MMC.exe Suspicious Execution Detection
// Part 1: MMC loading suspicious .msc files or spawned by suspicious parents
#event_simpleName = "ProcessRollup2"
| ImageFileName = /\\mmc\.exe$/i
| eval HasMSC = if(CommandLine = /\.msc/i, 1, 0)
| eval SuspiciousPath = if(CommandLine = /(Temp|AppData|Downloads|Public|Desktop|ProgramData)/i, 1, 0)
| eval RemoteMSC = if(CommandLine = /(https?:\/\/|\\\\[a-zA-Z])/i, 1, 0)
| eval SuspiciousParent = if(ParentImageFileName = /(cmd|powershell|wscript|cscript|mshta|winword|excel|outlook)\.exe/i, 1, 0)
| eval RiskScore = (HasMSC * SuspiciousPath) + RemoteMSC + SuspiciousParent
| where RiskScore > 0
| join type=inner (
    #event_simpleName = "ProcessRollup2"
    | ParentImageFileName = /\\mmc\.exe$/i
    | ImageFileName = /(cmd|powershell|wscript|cscript|net|netsh)\.exe$/i
    | eval SuspiciousChild = 1
    | table TargetProcessId, ImageFileName, CommandLine, SuspiciousChild
  ) where TargetProcessId = TargetProcessId
| table _time, ComputerName, UserName, ImageFileName, CommandLine, ParentImageFileName, ParentCommandLine, HasMSC, SuspiciousPath, RemoteMSC, SuspiciousParent, RiskScore
| sort _time desc

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection CrowdStrike Humio / LogScale with Falcon sensor data

Required Tables

#event_simpleName=ProcessRollup2

False Positives

CrowdStrike sensor or Falcon management components that may spawn mmc.exe for Windows Firewall or policy snap-in management as part of host remediation actions
Scripted IT provisioning workflows that use cmd.exe or PowerShell to launch MMC with administrative .msc files stored in staging directories
Legitimate use of Windows administrative tools by privileged users (Domain Admins) who routinely open Active Directory Users and Computers or Group Policy Management from non-standard paths

MMC

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections