Detect MMC in IBM QRadar
Adversaries may abuse mmc.exe to proxy execution of malicious .msc files. Microsoft Management Console (MMC) is a signed Microsoft binary used to create, open, and save custom consoles containing administrative snap-ins. Adversaries can craft malicious .msc files that execute arbitrary commands when opened in MMC. The Medusa ransomware group has been documented using this technique. MMC snap-ins can execute commands, run scripts, and perform system administration actions, making malicious .msc files a powerful execution vehicle that bypasses application control.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1218 System Binary Proxy Execution
- Sub-technique
- T1218.014 MMC
- Canonical reference
- https://attack.mitre.org/techniques/T1218/014/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
logsourcename(logsourceid) AS log_source,
sourceip,
username,
"Image" AS process_image,
"CommandLine" AS command_line,
"ParentImage" AS parent_image,
"ParentCommandLine" AS parent_command_line,
CASE
WHEN LOWER("CommandLine") MATCHES REGEX '.*\.msc.*' AND LOWER("CommandLine") MATCHES REGEX '.*(temp|appdata|downloads|public|desktop|programdata).*' THEN 1 ELSE 0
END +
CASE
WHEN "CommandLine" MATCHES REGEX '.*(https?://|\\\\\\\\[a-zA-Z]).*' THEN 1 ELSE 0
END +
CASE
WHEN LOWER("ParentImage") MATCHES REGEX '.*(cmd|powershell|wscript|cscript|mshta|winword|excel|outlook)\.exe' THEN 1 ELSE 0
END AS risk_score
FROM events
WHERE
LOGSOURCETYPEID IN (12, 13) -- Sysmon / Windows Security
AND QIDNAME(qid) IN ('Process Create', 'ProcessCreate')
AND (
(LOWER("Image") LIKE '%\\mmc.exe' AND (
(LOWER("CommandLine") MATCHES REGEX '.*\.msc.*' AND LOWER("CommandLine") MATCHES REGEX '.*(temp|appdata|downloads|public|desktop|programdata).*')
OR "CommandLine" MATCHES REGEX '.*(https?://|\\\\\\\\).*'
OR LOWER("ParentImage") MATCHES REGEX '.*(cmd|powershell|wscript|cscript|mshta|winword|excel|outlook)\.exe'
))
OR (
LOWER("ParentImage") LIKE '%\\mmc.exe'
AND LOWER("Image") MATCHES REGEX '.*(cmd|powershell|wscript|cscript|net|netsh)\.exe'
)
)
AND DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') > DATEADD('hour', -24, NOW())
ORDER BY starttime DESC
LIMIT 500QRadar AQL detection for MMC.exe abuse (T1218.014). Queries Sysmon or Windows Security log sources for MMC loading suspicious .msc files, remote MSC payloads, suspicious parent processes, or MMC spawning dangerous child processes. Computes a risk score across detection dimensions.
Data Sources
Required Tables
False Positives & Tuning
- Authorized IT administrators using PowerShell scripts to automate MMC console launches for bulk configuration tasks across fleets
- Security tooling or EDR products that spawn MMC snap-ins as part of host-based firewall or policy management
- Enterprise management platforms (e.g., Microsoft RSAT) that invoke mmc.exe with administrative snap-ins from non-standard paths during provisioning
Other platforms for T1218.014
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1MMC Execution with Custom MSC File from Temp
Expected signal: Sysmon Event ID 11: .msc file written to Temp. Sysmon Event ID 1: mmc.exe with Temp path in command line. Security Event ID 4688.
- Test 2MMC Launched from PowerShell
Expected signal: Sysmon Event ID 1: powershell.exe then mmc.exe with ParentImage=powershell.exe. SuspiciousParent fires. Security Event ID 4688.
- Test 3MMC Child Process Spawning
Expected signal: If a real malicious snap-in were loaded, Sysmon EventCode=1 would show cmd.exe or powershell.exe with ParentImage=mmc.exe. This test generates the mmc.exe process creation event for detection validation.
References (4)
Unlock Pro Content
Get the full detection package for T1218.014 including response playbook, investigation guide, and atomic red team tests.