title: MMC (T1218.014)
id: df00tech-t1218-014
status: experimental
description: "Adversaries may abuse mmc.exe to proxy execution of malicious .msc files. Microsoft Management Console (MMC) is a signed Microsoft binary used to create, open, and save custom consoles containing administrative snap-ins. Adversaries can craft malicious .msc files that execute arbitrary commands when opened in MMC. The Medusa ransomware group has been documented using this technique. MMC snap-ins can execute commands, run scripts, and perform system administration actions, making malicious .msc files a powerful execution vehicle that bypasses application control."
references:
  - https://attack.mitre.org/techniques/T1218/014/
  - https://df00tech.com/detections/T1218.014
author: df00tech
date: 2026/04/13
tags:
  - attack.t1218.014
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - IT administrators launching MMC with custom .msc console files from network shares for administrative tasks
  - Software that creates custom MMC snap-ins and opens them via mmc.exe during installation or operation
  - Group Policy management tools and Active Directory administration utilities that use custom .msc files
  - Enterprise monitoring solutions that use MMC snap-ins for management interfaces
level: high