Microsoft Management Console File from Unusual Path

  1[metadata]
  2creation_date = "2024/06/19"
  3integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies attempts to open a Microsoft Management Console File from untrusted paths. Adversaries may use MSC files for
 11initial access and execution.
 12"""
 13from = "now-9m"
 14index = [
 15    "endgame-*",
 16    "logs-crowdstrike.fdr*",
 17    "logs-endpoint.events.process-*",
 18    "logs-m365_defender.event-*",
 19    "logs-sentinel_one_cloud_funnel.*",
 20    "logs-system.security*",
 21    "logs-windows.forwarded*",
 22    "logs-windows.sysmon_operational-*",
 23    "winlogbeat-*",
 24]
 25language = "eql"
 26license = "Elastic License v2"
 27name = "Microsoft Management Console File from Unusual Path"
 28note = """## Triage and analysis
 29
 30> **Disclaimer**:
 31> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 32
 33### Investigating Microsoft Management Console File from Unusual Path
 34
 35Microsoft Management Console (MMC) is a Windows utility that provides a framework for system management. Adversaries may exploit MMC by executing .msc files from non-standard directories to bypass security controls. The detection rule identifies such anomalies by monitoring the execution of mmc.exe with .msc files from untrusted paths, flagging potential unauthorized access or execution attempts.
 36
 37### Possible investigation steps
 38
 39- Review the process execution details to confirm the path of the mmc.exe and the .msc file being executed. Check if the path is indeed non-standard or untrusted as per the query criteria.
 40- Investigate the origin of the .msc file by examining file creation and modification timestamps, and check for any recent changes or unusual activity in the directory where the file resides.
 41- Analyze the user account associated with the process execution to determine if the activity aligns with their typical behavior or if it appears suspicious.
 42- Check for any related alerts or logs around the same timeframe that might indicate lateral movement or other malicious activities, such as unusual network connections or file access patterns.
 43- Correlate the event with other data sources mentioned in the rule, such as Microsoft Defender for Endpoint or Crowdstrike, to gather additional context or corroborating evidence of potential malicious activity.
 44- Assess the risk and impact of the execution by determining if the .msc file has any known malicious signatures or if it attempts to perform unauthorized actions on the system.
 45
 46### False positive analysis
 47
 48- Legitimate administrative tasks may trigger this rule if system administrators execute .msc files from custom directories. To manage this, create exceptions for known administrative scripts or tools that are regularly used from non-standard paths.
 49- Software installations or updates might involve executing .msc files from temporary or installation directories. Monitor these activities and whitelist specific installation paths if they are verified as safe and part of routine operations.
 50- Automated scripts or third-party management tools could execute .msc files from non-standard locations as part of their normal operation. Identify these tools and add their execution paths to the exception list to prevent unnecessary alerts.
 51- Development or testing environments may involve running .msc files from various directories for testing purposes. Establish a separate monitoring policy for these environments or exclude known development paths to reduce false positives.
 52
 53### Response and remediation
 54
 55- Isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.
 56- Terminate any suspicious processes related to mmc.exe executing from untrusted paths to halt potential malicious activity.
 57- Conduct a thorough review of the system's recent activity logs to identify any additional indicators of compromise or related suspicious activities.
 58- Remove any unauthorized .msc files found in non-standard directories and ensure they are not reintroduced.
 59- Restore the system from a known good backup if any unauthorized changes or damage is detected.
 60- Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited.
 61- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected."""
 62references = ["https://www.elastic.co/security-labs/grimresource"]
 63risk_score = 73
 64rule_id = "7e23dfef-da2c-4d64-b11d-5f285b638853"
 65severity = "high"
 66tags = [
 67    "Domain: Endpoint",
 68    "OS: Windows",
 69    "Use Case: Threat Detection",
 70    "Tactic: Execution",
 71    "Data Source: Elastic Endgame",
 72    "Data Source: Elastic Defend",
 73    "Data Source: SentinelOne",
 74    "Data Source: Microsoft Defender for Endpoint",
 75    "Data Source: Windows Security Event Logs",
 76    "Data Source: Crowdstrike",
 77    "Resources: Investigation Guide",
 78    "Data Source: Sysmon",
 79]
 80timestamp_override = "event.ingested"
 81type = "eql"
 82
 83query = '''
 84process where host.os.type == "windows" and event.type == "start" and
 85  process.executable : (
 86    "?:\\Windows\\System32\\mmc.exe",
 87    "\\Device\\HarddiskVolume?\\Windows\\System32\\mmc.exe"
 88  ) and
 89  process.args : "*.msc" and
 90  not process.args : (
 91        "?:\\Windows\\System32\\*.msc",
 92        "?:\\Windows\\SysWOW64\\*.msc",
 93        "?:\\Program files\\*.msc",
 94        "?:\\Program Files (x86)\\*.msc"
 95  )
 96'''
 97
 98
 99[[rule.threat]]
100framework = "MITRE ATT&CK"
101[[rule.threat.technique]]
102id = "T1059"
103name = "Command and Scripting Interpreter"
104reference = "https://attack.mitre.org/techniques/T1059/"
105[[rule.threat.technique.subtechnique]]
106id = "T1059.005"
107name = "Visual Basic"
108reference = "https://attack.mitre.org/techniques/T1059/005/"
109
110[[rule.threat.technique.subtechnique]]
111id = "T1059.007"
112name = "JavaScript"
113reference = "https://attack.mitre.org/techniques/T1059/007/"
114
115
116
117[rule.threat.tactic]
118id = "TA0002"
119name = "Execution"
120reference = "https://attack.mitre.org/tactics/TA0002/"
121[[rule.threat]]
122framework = "MITRE ATT&CK"
123[[rule.threat.technique]]
124id = "T1218"
125name = "System Binary Proxy Execution"
126reference = "https://attack.mitre.org/techniques/T1218/"
127[[rule.threat.technique.subtechnique]]
128id = "T1218.014"
129name = "MMC"
130reference = "https://attack.mitre.org/techniques/T1218/014/"
131
132
133
134[rule.threat.tactic]
135id = "TA0005"
136name = "Defense Evasion"
137reference = "https://attack.mitre.org/tactics/TA0005/"