Матрица MITRE ATT&CK

Technique on mitre.org

T1218.014: MMC

Adversaries may abuse mmc.exe to proxy execution of malicious .msc files. Microsoft Management Console (MMC) is a binary that may be signed by Microsoft and is used in several ways in either its GUI or in a command prompt. MMC can be used to create, open, and save custom consoles that contain administrative tools created by Microsoft, called snap-ins. These snap-ins may be used to manage Windows systems locally or remotely. MMC can also be used to open Microsoft created .msc files to manage system configuration.

For example, mmc C:\Users\foo\admintools.msc /a will open a custom, saved console msc file in author mode. Another common example is mmc gpedit.msc, which will open the Group Policy Editor application window.

Adversaries may use MMC commands to perform malicious tasks. For example, mmc wbadmin.msc delete catalog -quiet deletes the backup catalog on the system (i.e. Inhibit System Recovery) without prompts to the user (Note: wbadmin.msc may only be present by default on Windows Server operating systems).

Adversaries may also abuse MMC to execute malicious .msc files. For example, adversaries may first create a malicious registry Class Identifier (CLSID) subkey, which uniquely identifies a Component Object Model class object. Then, adversaries may create custom consoles with the “Link to Web Address” snap-in that is linked to the malicious CLSID subkey. Once the .msc file is saved, adversaries may invoke the malicious CLSID payload with the following command: mmc.exe -Embedding C:\path\to\test.msc.

Positive Technologies products that cover the technique

Description of detection methods is not available yet

Detection

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor executed commands and arguments that may gather information about the victim's DNS that can be used during targeting.

ID	DS0022	Data source and component	File: File Creation	Description	Monitor for creation and use of .msc files. MMC may legitimately be used to call Microsoft-created .msc files, such as `services.msc` or `eventvwr.msc`. Invoking non-Microsoft .msc files may be an indicator of malicious activity.

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitor processes for suspicious or malicious use of MMC. Since MMC is a signed Windows binary, verify use of MMC is legitimate and not malicious.

ID	Data source and component	Description
DS0017	Command: Command Execution	Monitor executed commands and arguments that may gather information about the victim's DNS that can be used during targeting.
DS0022	File: File Creation	Monitor for creation and use of .msc files. MMC may legitimately be used to call Microsoft-created .msc files, such as `services.msc` or `eventvwr.msc`. Invoking non-Microsoft .msc files may be an indicator of malicious activity.
DS0009	Process: Process Creation	Monitor processes for suspicious or malicious use of MMC. Since MMC is a signed Windows binary, verify use of MMC is legitimate and not malicious.

Mitigation

ID	M1042	Name	Disable or Remove Feature or Program	Description	MMC may not be necessary within a given environment since it is primarily used by system administrators, not regular users or clients.

ID	M1038	Name	Execution Prevention	Description	Use application control configured to block execution of MMC if it is not required for a given system or network to prevent potential misuse by adversaries.

ID	Name	Description
M1042	Disable or Remove Feature or Program	MMC may not be necessary within a given environment since it is primarily used by system administrators, not regular users or clients.
M1038	Execution Prevention	Use application control configured to block execution of MMC if it is not required for a given system or network to prevent potential misuse by adversaries.