MMC20 Lateral Movement
Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe
Sigma rule (View on GitHub)
1title: MMC20 Lateral Movement
2id: f1f3bf22-deb2-418d-8cce-e1a45e46a5bd
3status: test
4description: Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe
5references:
6 - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
7 - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing
8author: '@2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea)'
9date: 2020-03-04
10modified: 2021-11-27
11tags:
12 - attack.execution
13 - attack.t1021.003
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 ParentImage|endswith: '\svchost.exe'
20 Image|endswith: '\mmc.exe'
21 CommandLine|contains: '-Embedding'
22 condition: selection
23falsepositives:
24 - Unlikely
25level: high
References
-
For those of you who conduct pentests or red team assessments, you are probably aware that there are only so many ways to pivot, or conduct lateral movement to a Windows system. Some of those techn…
Read More -
Related rules
- HackTool - Potential Impacket Lateral Movement Activity
- Suspicious WSMAN Provider Image Loads
- SMBexec.py Execution
- Wmiexec.py Execution
- Possible Impacket DCOMExec Connection Attempt - Zeek