Microsoft Management Console File from Unusual Path
Identifies attempts to open a Microsoft Management Console File from untrusted paths. Adversaries may use MSC files for initial access and execution.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/06/19"
3integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"]
4maturity = "production"
5min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
6min_stack_version = "8.14.0"
7updated_date = "2024/10/31"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies attempts to open a Microsoft Management Console File from untrusted paths. Adversaries may use
13MSC files for initial access and execution.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-crowdstrike.fdr*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Microsoft Management Console File from Unusual Path"
20references = ["https://www.elastic.co/security-labs/grimresource"]
21risk_score = 73
22rule_id = "7e23dfef-da2c-4d64-b11d-5f285b638853"
23severity = "high"
24tags = [
25 "Domain: Endpoint",
26 "OS: Windows",
27 "Use Case: Threat Detection",
28 "Tactic: Execution",
29 "Data Source: Elastic Endgame",
30 "Data Source: Elastic Defend",
31 "Data Source: SentinelOne",
32 "Data Source: Microsoft Defender for Endpoint",
33 "Data Source: System",
34 "Data Source: Crowdstrike",
35]
36timestamp_override = "event.ingested"
37type = "eql"
38
39query = '''
40process where host.os.type == "windows" and event.type == "start" and
41 process.executable : (
42 "?:\\Windows\\System32\\mmc.exe",
43 "\\Device\\HarddiskVolume?\\Windows\\System32\\mmc.exe"
44 ) and
45 process.args : "*.msc" and
46 not process.args : (
47 "?:\\Windows\\System32\\*.msc",
48 "?:\\Windows\\SysWOW64\\*.msc",
49 "?:\\Program files\\*.msc",
50 "?:\\Program Files (x86)\\*.msc"
51 )
52'''
53
54
55[[rule.threat]]
56framework = "MITRE ATT&CK"
57
58[[rule.threat.technique]]
59id = "T1059"
60name = "Command and Scripting Interpreter"
61reference = "https://attack.mitre.org/techniques/T1059/"
62
63[[rule.threat.technique.subtechnique]]
64id = "T1059.005"
65name = "Visual Basic"
66reference = "https://attack.mitre.org/techniques/T1059/005/"
67
68[[rule.threat.technique.subtechnique]]
69id = "T1059.007"
70name = "JavaScript"
71reference = "https://attack.mitre.org/techniques/T1059/007/"
72
73[rule.threat.tactic]
74id = "TA0002"
75name = "Execution"
76reference = "https://attack.mitre.org/tactics/TA0002/"
77
78
79[[rule.threat]]
80framework = "MITRE ATT&CK"
81[[rule.threat.technique]]
82id = "T1218"
83name = "System Binary Proxy Execution"
84reference = "https://attack.mitre.org/techniques/T1218/"
85[[rule.threat.technique.subtechnique]]
86id = "T1218.014"
87name = "MMC"
88reference = "https://attack.mitre.org/techniques/T1218/014/"
89
90
91
92[rule.threat.tactic]
93id = "TA0005"
94name = "Defense Evasion"
95reference = "https://attack.mitre.org/tactics/TA0005/"
References
-
Elastic researchers uncovered a new technique, GrimResource, which allows full code execution via specially crafted MSC files. It underscores a trend of well-resourced attackers favoring innovative initial access methods to evade defenses.
Read More
Related rules
- Command Execution via SolarWinds Process
- Enumeration Command Spawned via WMIPrvSE
- Potential Foxmail Exploitation
- Process Activity via Compiled HTML File
- Suspicious Cmd Execution via WMI