MMC Loading Script Engines DLLs

Detects when the Microsoft Management Console (MMC) loads the DLL libraries like vbscript, jscript etc which might indicate an attempt to execute malicious scripts within a trusted system process for bypassing application whitelisting or defense evasion.

Sigma rule (View on GitHub)

 1title: MMC Loading Script Engines DLLs
 2id: a9c73e8b-3b2d-4c45-8ef2-5f9a9c9998ad
 3status: experimental
 4description: |
 5    Detects when the Microsoft Management Console (MMC) loads the DLL libraries like vbscript, jscript etc which might indicate an attempt
 6    to execute malicious scripts within a trusted system process for bypassing application whitelisting or defense evasion.    
 7references:
 8    - https://tria.ge/241015-l98snsyeje/behavioral2
 9    - https://www.elastic.co/security-labs/grimresource
10author: Swachchhanda Shrawan Poudel (Nextron Systems)
11date: 2025-02-05
12tags:
13    - attack.execution
14    - attack.defense-evasion
15    - attack.t1059.005
16    - attack.t1218.014
17logsource:
18    category: image_load
19    product: windows
20detection:
21    selection:
22        Image|endswith: '\mmc.exe'
23        ImageLoaded|endswith:
24            - '\vbscript.dll'
25            - '\jscript.dll'
26            - '\jscript9.dll'
27    condition: selection
28falsepositives:
29    - Legitimate MMC operations or extensions loading these libraries
30level: medium

References

Related rules

to-top