Microsoft Management Console File from Unusual Path

  1[metadata]
  2creation_date = "2024/06/19"
  3integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2026/05/04"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies attempts to open a Microsoft Management Console File from untrusted paths. Adversaries may use MSC files for
 11initial access and execution.
 12"""
 13from = "now-9m"
 14index = [
 15    "endgame-*",
 16    "logs-crowdstrike.fdr*",
 17    "logs-endpoint.events.process-*",
 18    "logs-m365_defender.event-*",
 19    "logs-sentinel_one_cloud_funnel.*",
 20    "logs-system.security*",
 21    "logs-windows.forwarded*",
 22    "logs-windows.sysmon_operational-*",
 23    "winlogbeat-*",
 24]
 25language = "eql"
 26license = "Elastic License v2"
 27name = "Microsoft Management Console File from Unusual Path"
 28note = """## Triage and analysis
 29
 30> **Disclaimer**:
 31> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 32
 33### Investigating Microsoft Management Console File from Unusual Path
 34
 35Microsoft Management Console (MMC) is a Windows utility that provides a framework for system management. Adversaries may exploit MMC by executing .msc files from non-standard directories to bypass security controls. The detection rule identifies such anomalies by monitoring the execution of mmc.exe with .msc files from untrusted paths, flagging potential unauthorized access or execution attempts.
 36
 37### Possible investigation steps
 38
 39- Review the process execution details to confirm the path of the mmc.exe and the .msc file being executed. Check if the path is indeed non-standard or untrusted as per the query criteria.
 40- Investigate the origin of the .msc file by examining file creation and modification timestamps, and check for any recent changes or unusual activity in the directory where the file resides.
 41- Analyze the user account associated with the process execution to determine if the activity aligns with their typical behavior or if it appears suspicious.
 42- Check for any related alerts or logs around the same timeframe that might indicate lateral movement or other malicious activities, such as unusual network connections or file access patterns.
 43- Correlate the event with other data sources mentioned in the rule, such as Microsoft Defender XDR or Crowdstrike, to gather additional context or corroborating evidence of potential malicious activity.
 44- Assess the risk and impact of the execution by determining if the .msc file has any known malicious signatures or if it attempts to perform unauthorized actions on the system.
 45
 46### False positive analysis
 47
 48- Legitimate administrative tasks may trigger this rule if system administrators execute .msc files from custom directories. To manage this, create exceptions for known administrative scripts or tools that are regularly used from non-standard paths.
 49- Software installations or updates might involve executing .msc files from temporary or installation directories. Monitor these activities and whitelist specific installation paths if they are verified as safe and part of routine operations.
 50- Automated scripts or third-party management tools could execute .msc files from non-standard locations as part of their normal operation. Identify these tools and add their execution paths to the exception list to prevent unnecessary alerts.
 51- Development or testing environments may involve running .msc files from various directories for testing purposes. Establish a separate monitoring policy for these environments or exclude known development paths to reduce false positives.
 52
 53### Response and remediation
 54
 55- Isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.
 56- Terminate any suspicious processes related to mmc.exe executing from untrusted paths to halt potential malicious activity.
 57- Conduct a thorough review of the system's recent activity logs to identify any additional indicators of compromise or related suspicious activities.
 58- Remove any unauthorized .msc files found in non-standard directories and ensure they are not reintroduced.
 59- Restore the system from a known good backup if any unauthorized changes or damage is detected.
 60- Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited.
 61- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected."""
 62references = ["https://www.elastic.co/security-labs/grimresource"]
 63risk_score = 47
 64rule_id = "7e23dfef-da2c-4d64-b11d-5f285b638853"
 65severity = "medium"
 66tags = [
 67    "Domain: Endpoint",
 68    "OS: Windows",
 69    "Use Case: Threat Detection",
 70    "Tactic: Execution",
 71    "Data Source: Elastic Endgame",
 72    "Data Source: Elastic Defend",
 73    "Data Source: SentinelOne",
 74    "Data Source: Microsoft Defender XDR",
 75    "Data Source: Windows Security Event Logs",
 76    "Data Source: Crowdstrike",
 77    "Resources: Investigation Guide",
 78    "Data Source: Sysmon",
 79]
 80timestamp_override = "event.ingested"
 81type = "eql"
 82
 83query = '''
 84process where host.os.type == "windows" and event.type == "start" and
 85  process.executable : (
 86    "?:\\Windows\\System32\\mmc.exe",
 87
 88    /* Crowdstrike specific condition as it uses NT Object paths */
 89    "\\Device\\HarddiskVolume*\\Windows\\System32\\mmc.exe"
 90  ) and
 91  process.args : "*.msc" and
 92  not process.args : (
 93        "?:\\Windows\\System32\\*.msc",
 94        "?:\\Windows\\SysWOW64\\*.msc",
 95        "?:\\Program files\\*.msc",
 96        "?:\\Program Files (x86)\\*.msc",
 97        "?:\\Windows\\ADFS\\Microsoft.IdentityServer.msc"
 98  ) and
 99  not process.command_line : (
100    "C:\\Windows\\system32\\mmc.exe eventvwr.msc /s",
101    "mmc.exe eventvwr.msc /s",
102    "\"C:\\Windows\\System32\\mmc.exe\" CompMgmt.msc*"
103  )
104'''
105
106setup = """## Setup
107
108This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
109
110Setup instructions: https://ela.st/install-elastic-defend
111
112### Additional data sources
113
114This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
115
116- [CrowdStrike](https://ela.st/crowdstrike-integration)
117- [Microsoft Defender XDR](https://ela.st/m365-defender)
118- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
119- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)
120- [Windows Process Creation Logs](https://ela.st/audit-process-creation)
121"""
122
123
124[[rule.threat]]
125framework = "MITRE ATT&CK"
126
127[[rule.threat.technique]]
128id = "T1059"
129name = "Command and Scripting Interpreter"
130reference = "https://attack.mitre.org/techniques/T1059/"
131
132[[rule.threat.technique.subtechnique]]
133id = "T1059.005"
134name = "Visual Basic"
135reference = "https://attack.mitre.org/techniques/T1059/005/"
136
137[[rule.threat.technique.subtechnique]]
138id = "T1059.007"
139name = "JavaScript"
140reference = "https://attack.mitre.org/techniques/T1059/007/"
141
142[[rule.threat.technique]]
143id = "T1204"
144name = "User Execution"
145reference = "https://attack.mitre.org/techniques/T1204/"
146
147[[rule.threat.technique.subtechnique]]
148id = "T1204.002"
149name = "Malicious File"
150reference = "https://attack.mitre.org/techniques/T1204/002/"
151
152[rule.threat.tactic]
153id = "TA0002"
154name = "Execution"
155reference = "https://attack.mitre.org/tactics/TA0002/"
156
157[[rule.threat]]
158framework = "MITRE ATT&CK"
159
160[[rule.threat.technique]]
161id = "T1218"
162name = "System Binary Proxy Execution"
163reference = "https://attack.mitre.org/techniques/T1218/"
164
165[[rule.threat.technique.subtechnique]]
166id = "T1218.014"
167name = "MMC"
168reference = "https://attack.mitre.org/techniques/T1218/014/"
169
170[rule.threat.tactic]
171id = "TA0005"
172name = "Defense Evasion"
173reference = "https://attack.mitre.org/tactics/TA0005/"