sigmahighHunting

MMC Spawning Windows Shell

Detects a Windows command line executable started from MMC

MITRE ATT&CK

lateral-movement

Detection Query

selection1:
  ParentImage|endswith: \mmc.exe
selection2:
  - Image|endswith:
      - \cmd.exe
      - \powershell.exe
      - \pwsh.exe
      - \wscript.exe
      - \cscript.exe
      - \sh.exe
      - \bash.exe
      - \reg.exe
      - \regsvr32.exe
  - Image|contains: \BITSADMIN
condition: all of selection*

Author

Karneades, Swisscom CSIRT

Created

2019-08-05

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/

Tags

attack.lateral-movementattack.t1021.003

Raw Content

title: MMC Spawning Windows Shell
id: 05a2ab7e-ce11-4b63-86db-ab32e763e11d
status: test
description: Detects a Windows command line executable started from MMC
references:
    - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
author: Karneades, Swisscom CSIRT
date: 2019-08-05
modified: 2022-07-14
tags:
    - attack.lateral-movement
    - attack.t1021.003
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        ParentImage|endswith: '\mmc.exe'
    selection2:
        - Image|endswith:
              - '\cmd.exe'
              - '\powershell.exe'
              - '\pwsh.exe'
              - '\wscript.exe'
              - '\cscript.exe'
              - '\sh.exe'
              - '\bash.exe'
              - '\reg.exe'
              - '\regsvr32.exe'
        - Image|contains: '\BITSADMIN'
    condition: all of selection*
level: high