MMC Loading Script Engines DLLs
Detects when the Microsoft Management Console (MMC) loads the DLL libraries like vbscript, jscript etc which might indicate an attempt to execute malicious scripts within a trusted system process for bypassing application whitelisting or defense evasion.
Sigma rule (View on GitHub)
1title: MMC Loading Script Engines DLLs
2id: a9c73e8b-3b2d-4c45-8ef2-5f9a9c9998ad
3status: experimental
4description: |
5 Detects when the Microsoft Management Console (MMC) loads the DLL libraries like vbscript, jscript etc which might indicate an attempt
6 to execute malicious scripts within a trusted system process for bypassing application whitelisting or defense evasion.
7references:
8 - https://tria.ge/241015-l98snsyeje/behavioral2
9 - https://www.elastic.co/security-labs/grimresource
10author: Swachchhanda Shrawan Poudel (Nextron Systems)
11date: 2025-02-05
12tags:
13 - attack.execution
14 - attack.defense-evasion
15 - attack.t1059.005
16 - attack.t1218.014
17logsource:
18 category: image_load
19 product: windows
20detection:
21 selection:
22 Image|endswith: '\mmc.exe'
23 ImageLoaded|endswith:
24 - '\vbscript.dll'
25 - '\jscript.dll'
26 - '\jscript9.dll'
27 condition: selection
28falsepositives:
29 - Legitimate MMC operations or extensions loading these libraries
30level: medium
References
-
Check this report malware sample ae8d252986c616884c10ab5082088cc9e413ddf5f9a0e292a1f2c5c0764c74e7, with a score of 1 out of 10.
Read More -
Elastic researchers uncovered a new technique, GrimResource, which allows full code execution via specially crafted MSC files. It underscores a trend of well-resourced attackers favoring innovative initial access methods to evade defenses.
Read More
Related rules
- MMC Executing Files with Reversed Extensions Using RTLO Abuse
- Potential SquiblyTwo Technique Execution
- Csc.EXE Execution Form Potentially Suspicious Parent
- HTML Help HH.EXE Suspicious Child Process
- HackTool - CACTUSTORCH Remote Thread Creation