Unusual Execution via Microsoft Common Console File

  1[metadata]
  2creation_date = "2024/05/12"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2026/05/01"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the execution of a child process from a Microsoft Common Console file. Adversaries may embed a malicious
 11command in an MSC file in order to trick victims into executing malicious commands.
 12"""
 13from = "now-9m"
 14index = [
 15    "winlogbeat-*",
 16    "logs-endpoint.events.process-*",
 17    "logs-windows.sysmon_operational-*",
 18    "endgame-*",
 19    "logs-m365_defender.event-*",
 20    "logs-sentinel_one_cloud_funnel.*",
 21]
 22language = "eql"
 23license = "Elastic License v2"
 24name = "Unusual Execution via Microsoft Common Console File"
 25references = ["https://www.genians.co.kr/blog/threat_intelligence/facebook"]
 26risk_score = 73
 27rule_id = "e760c72b-bb1f-44f0-9f0d-37d51744ee75"
 28severity = "high"
 29tags = [
 30    "Domain: Endpoint",
 31    "OS: Windows",
 32    "Use Case: Threat Detection",
 33    "Tactic: Execution",
 34    "Tactic: Initial Access",
 35    "Resources: Investigation Guide",
 36    "Data Source: Elastic Endgame",
 37    "Data Source: Elastic Defend",
 38    "Data Source: Sysmon",
 39    "Data Source: Microsoft Defender XDR",
 40    "Data Source: SentinelOne",
 41]
 42timestamp_override = "event.ingested"
 43type = "eql"
 44
 45query = '''
 46process where host.os.type == "windows" and event.type == "start" and
 47  process.parent.executable : "?:\\Windows\\System32\\mmc.exe" and endswith~(process.parent.args, ".msc") and
 48  not (
 49    process.parent.args : (
 50      "?:\\Windows\\System32\\*.msc",
 51      "?:\\Windows\\SysWOW64\\*.msc",
 52      "?:\\Program files\\*.msc",
 53      "?:\\Program Files (x86)\\*.msc"
 54    ) or
 55    (
 56      process.executable : "?:\\Windows\\System32\\mmc.exe" and
 57      process.command_line : "\"C:\\WINDOWS\\system32\\mmc.exe\" \"C:\\Windows\\System32\\gpme.msc\" /s /gpobject:\"LDAP://*"
 58    ) or
 59    (
 60      process.executable : (
 61        "?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
 62        "?:\\Program Files\\Mozilla Firefox\\firefox.exe",
 63        "?:\\Program Files\\Google\\Chrome\\Application\\chrome.exe",
 64        "?:\\Program Files\\internet explorer\\iexplore.exe"
 65      ) and
 66      process.args : "http*://go.microsoft.com/fwlink/*"
 67    ) or
 68    process.executable : (
 69      "?:\\Windows\\System32\\vmconnect.exe",
 70      "?:\\Windows\\System32\\WerFault.exe",
 71      "?:\\Windows\\System32\\wermgr.exe"
 72    )
 73  )
 74'''
 75
 76note = """## Triage and analysis
 77
 78### Investigating Unusual Execution via Microsoft Common Console File
 79
 80#### Possible investigation steps
 81
 82- What ".msc" path and immediate child process triggered the alert?
 83  - Focus: `process.parent.executable`, `process.parent.args`, `process.parent.command_line`, `process.executable`, and `process.command_line`.
 84  - Implication: escalate when "mmc.exe" opens a user-writable, download, cloud-sync, archive-extraction, or document-like ".msc" and the child is a shell, script host, "mshta.exe", "schtasks.exe", or another LOLBin; lower suspicion only when the exact ".msc" path and child command fit a recognized administrative console workflow on this host.
 85
 86- Does the child command line expose second-stage or persistence intent?
 87  - Focus: `process.command_line`, checking for "WScript.Shell", "schtasks /create", "OneDriveUpdate", "wscript.exe /b", "start /min", "mshta", ".hta", remote URLs, or script/batch names.
 88  - Hint: review same-child file and network events for staged scripts, task artifacts, or remote retrieval. Missing network telemetry is unresolved, not benign. $investigate_3
 89  - Implication: escalate when the command creates tasks, hides/minimizes execution, starts script hosts, or embeds remote retrieval; lower suspicion only when the arguments perform a narrow helper action expected from the same console.
 90
 91- Does the child identity and session context fit expected administration?
 92  - Focus: `process.executable`, `process.code_signature.subject_name`, `process.code_signature.trusted`, `process.Ext.relative_file_creation_time`, and the `user.id` + `host.id` pair.
 93  - Implication: escalate when the child runs from a user-writable or recently created path, has a signer mismatch, or appears under an unexpected administrative user/session; identity confirmation alone never clears an unsafe command line.
 94
 95- Do descendants continue the MSC-launched chain into scripting, tasks, or delayed execution?
 96  - Why: MSC lures can store task commands that create a scheduled task, run VBS, then launch HTA through "mshta.exe"; the first child may be only the handoff.
 97  - Focus: descendant starts on the same `host.id`, linked by `process.parent.entity_id` or `process.Ext.ancestry`, checking `process.name` and `process.command_line`. $investigate_2
 98  - Hint: if entity linkage is absent, match `process.parent.pid` to the alerting `process.pid` within a tight alert-time window and treat matches as weaker.
 99  - Hint: after a suspicious descendant, expand that descendant's file and network events from Timeline.
100  - Implication: escalate when descendants show "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "powershell.exe", "pwsh.exe", "schtasks.exe", repeated shells, Microsoft-themed task names, or command-line URLs; lower suspicion when the tree ends at one expected helper with no delayed script or task process.
101
102- If local evidence remains suspicious or unresolved, what related alerts change scope or containment?
103  - Focus: related alerts for the same `user.id`, especially document delivery, script execution, task creation, or outbound staging. $investigate_0
104  - Hint: review same-`host.id` alerts to separate one-host lure execution from repeated activity across assets. $investigate_1
105  - Implication: broaden containment when the same user or host also shows initial-access, script-host, scheduled-task, or outbound-staging alerts; keep response local when those alerts are absent, but leave benign closure to the process-chain synthesis.
106
107- Escalate for lure-driven ".msc" execution, script staging, scheduled-task creation, remote retrieval, or suspicious descendants; close only when alert-local evidence and process recovery bind one exact recognized console workflow with no contradictory descendants; preserve artifacts and escalate when evidence is mixed or visibility incomplete.
108
109### False positive analysis
110
111- Custom administrative consoles, vendor MMC snap-ins, or IT troubleshooting bundles stored outside default Windows console paths can launch helpers, browsers, viewers, or support utilities. Confirm that `process.parent.args`, `process.parent.command_line`, `process.executable`, `process.command_line`, `process.code_signature.subject_name`, `user.id`, and `host.id` all align with one exact console package or affected cohort. If inventory, ticketing, or owner confirmation is unavailable, close only when process and descendant telemetry still prove that helper workflow with no unresolved script, task, hidden execution, or remote-retrieval behavior.
112- Before creating an exception, validate prior alerts from this rule for the same ".msc" path in `process.parent.args`, child `process.executable`, signer in `process.code_signature.subject_name`, stable `process.command_line`, and bounded `user.id` and `host.id` scope. Build the exception from that full workflow pattern; avoid exceptions on `process.parent.name` value "mmc.exe" or the child `process.executable` alone.
113
114### Response and remediation
115
116- If confirmed benign, reverse any temporary containment and document the exact ".msc" path, child command pattern, signer, `user.id`, and `host.id`. Create an exception only after the same workflow pattern recurs consistently across prior alerts from this rule.
117- If suspicious but unconfirmed, preserve a case export for the alerting process instance (`host.id` plus `process.entity_id` or `process.pid` and alert time), the parent MSC path, child and descendant command lines, executable hash/signer, task names, script names, and URLs visible in command lines before making destructive changes. Apply reversible containment first, such as temporary URL/domain blocking, disabling a newly created scheduled task after preserving its command, or heightened monitoring on the affected `host.id` and `user.id`.
118- If confirmed malicious, isolate the host or contain the affected account only after preserving the process chain, scheduled-task names, script names, hashes, and command-line indicators. Terminate malicious child or descendant processes after preservation, block confirmed command-line URLs or domains, and hand off the preserved artifact set if endpoint response is unavailable.
119- Eradicate only the malicious ".msc", scripts, scheduled tasks, and staged payloads identified during the investigation, then remediate the delivery path that let the lure execute. Review related hosts and users for the same `process.parent.args` path or descendant `process.command_line` pattern before broad cleanup.
120- Post-incident hardening: restrict or warn on ".msc" launches from user-writable, download, archive-extraction, or cloud-sync paths, and retain process lineage and command-line telemetry needed to distinguish future admin consoles from MSC lures.
121"""
122
123setup = """## Setup
124
125This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
126
127Setup instructions: https://ela.st/install-elastic-defend
128
129### Additional data sources
130
131This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
132
133- [Microsoft Defender XDR](https://ela.st/m365-defender)
134- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
135- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)
136"""
137
138[rule.investigation_fields]
139field_names = [
140    "@timestamp",
141    "host.id",
142    "user.id",
143    "process.entity_id",
144    "process.pid",
145    "process.executable",
146    "process.command_line",
147    "process.code_signature.subject_name",
148    "process.code_signature.trusted",
149    "process.hash.sha256",
150    "process.Ext.session_info.logon_type",
151    "process.Ext.relative_file_creation_time",
152    "process.parent.executable",
153    "process.parent.command_line",
154    "process.parent.args",
155]
156
157[transform]
158
159[[transform.investigate]]
160label = "Alerts associated with the user"
161description = ""
162providers = [
163  [
164    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
165    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
166  ]
167]
168relativeFrom = "now-48h/h"
169relativeTo = "now"
170
171[[transform.investigate]]
172label = "Alerts associated with the host"
173description = ""
174providers = [
175  [
176    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
177    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
178  ]
179]
180relativeFrom = "now-48h/h"
181relativeTo = "now"
182
183[[transform.investigate]]
184label = "Descendant processes from the MMC-launched child"
185description = ""
186providers = [
187  [
188    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
189    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
190    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" }
191  ],
192  [
193    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
194    { excluded = false, field = "process.parent.pid", queryType = "phrase", value = "{{process.pid}}", valueType = "string" },
195    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" }
196  ]
197]
198relativeFrom = "now-1h"
199relativeTo = "now"
200
201[[transform.investigate]]
202label = "File and network events for the MMC-launched child"
203description = ""
204providers = [
205  [
206    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
207    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
208    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" }
209  ],
210  [
211    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
212    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
213    { excluded = false, field = "event.category", queryType = "phrase", value = "network", valueType = "string" }
214  ]
215]
216relativeFrom = "now-1h"
217relativeTo = "now"
218
219[[rule.threat]]
220framework = "MITRE ATT&CK"
221
222[[rule.threat.technique]]
223id = "T1204"
224name = "User Execution"
225reference = "https://attack.mitre.org/techniques/T1204/"
226
227[[rule.threat.technique.subtechnique]]
228id = "T1204.002"
229name = "Malicious File"
230reference = "https://attack.mitre.org/techniques/T1204/002/"
231
232[rule.threat.tactic]
233id = "TA0002"
234name = "Execution"
235reference = "https://attack.mitre.org/tactics/TA0002/"
236
237[[rule.threat]]
238framework = "MITRE ATT&CK"
239
240[[rule.threat.technique]]
241id = "T1566"
242name = "Phishing"
243reference = "https://attack.mitre.org/techniques/T1566/"
244
245[[rule.threat.technique.subtechnique]]
246id = "T1566.001"
247name = "Spearphishing Attachment"
248reference = "https://attack.mitre.org/techniques/T1566/001/"
249
250[[rule.threat.technique.subtechnique]]
251id = "T1566.002"
252name = "Spearphishing Link"
253reference = "https://attack.mitre.org/techniques/T1566/002/"
254
255[rule.threat.tactic]
256id = "TA0001"
257name = "Initial Access"
258reference = "https://attack.mitre.org/tactics/TA0001/"
259
260[[rule.threat]]
261framework = "MITRE ATT&CK"
262
263[[rule.threat.technique]]
264id = "T1218"
265name = "System Binary Proxy Execution"
266reference = "https://attack.mitre.org/techniques/T1218/"
267
268[[rule.threat.technique.subtechnique]]
269id = "T1218.014"
270name = "MMC"
271reference = "https://attack.mitre.org/techniques/T1218/014/"
272
273[rule.threat.tactic]
274id = "TA0005"
275name = "Defense Evasion"
276reference = "https://attack.mitre.org/tactics/TA0005/"