Detect MMC in Google Chronicle
Adversaries may abuse mmc.exe to proxy execution of malicious .msc files. Microsoft Management Console (MMC) is a signed Microsoft binary used to create, open, and save custom consoles containing administrative snap-ins. Adversaries can craft malicious .msc files that execute arbitrary commands when opened in MMC. The Medusa ransomware group has been documented using this technique. MMC snap-ins can execute commands, run scripts, and perform system administration actions, making malicious .msc files a powerful execution vehicle that bypasses application control.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1218 System Binary Proxy Execution
- Sub-technique
- T1218.014 MMC
- Canonical reference
- https://attack.mitre.org/techniques/T1218/014/
YARA-L Detection Query
rule mmc_suspicious_execution_t1218_014 {
meta:
author = "Argus Detection Engineering"
description = "Detects MMC.exe abuse for proxy execution via malicious .msc files (T1218.014). Covers suspicious path loading, remote MSC, malicious parent processes, and dangerous child process spawning."
mitre_attack_tactic = "Defense Evasion"
mitre_attack_technique = "T1218.014"
severity = "HIGH"
confidence = "HIGH"
version = "1.0"
created = "2026-04-13"
events:
(
// MMC loading suspicious .msc or spawned by suspicious parent
$e1.metadata.event_type = "PROCESS_LAUNCH"
and re.regex($e1.target.process.file.full_path, `(?i)\\mmc\.exe$`)
and (
(
re.regex($e1.target.process.command_line, `(?i)\.msc`) and
re.regex($e1.target.process.command_line, `(?i)(Temp|AppData|Downloads|Public|Desktop|ProgramData)`)
) or
re.regex($e1.target.process.command_line, `(?i)(https?://|\\\\[a-zA-Z])`) or
re.regex($e1.principal.process.file.full_path, `(?i)(cmd|powershell|wscript|cscript|mshta|winword|excel|outlook)\.exe$`)
)
) or
(
// MMC spawning dangerous child processes
$e1.metadata.event_type = "PROCESS_LAUNCH"
and re.regex($e1.principal.process.file.full_path, `(?i)\\mmc\.exe$`)
and re.regex($e1.target.process.file.full_path, `(?i)(cmd|powershell|wscript|cscript|net|netsh)\.exe$`)
)
condition:
$e1
}Chronicle YARA-L 2.0 rule detecting MMC.exe abuse (T1218.014) via UDM event model. Triggers on PROCESS_LAUNCH events where MMC loads .msc files from suspicious directories, uses remote paths, is spawned by script interpreters or Office applications, or spawns dangerous child processes such as cmd.exe or PowerShell.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise IT automation platforms that generate MMC executions with PowerShell parent processes as part of approved change management procedures
- Security operations tooling that uses MMC snap-ins for host inspection and may spawn cmd.exe for supplemental data collection
- Third-party endpoint management agents that store and launch .msc files from ProgramData or AppData directories for device management tasks
Other platforms for T1218.014
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1MMC Execution with Custom MSC File from Temp
Expected signal: Sysmon Event ID 11: .msc file written to Temp. Sysmon Event ID 1: mmc.exe with Temp path in command line. Security Event ID 4688.
- Test 2MMC Launched from PowerShell
Expected signal: Sysmon Event ID 1: powershell.exe then mmc.exe with ParentImage=powershell.exe. SuspiciousParent fires. Security Event ID 4688.
- Test 3MMC Child Process Spawning
Expected signal: If a real malicious snap-in were loaded, Sysmon EventCode=1 would show cmd.exe or powershell.exe with ParentImage=mmc.exe. This test generates the mmc.exe process creation event for detection validation.
References (4)
Unlock Pro Content
Get the full detection package for T1218.014 including response playbook, investigation guide, and atomic red team tests.