MMC Spawning Windows Shell
Detects a Windows command line executable started from MMC
Sigma rule (View on GitHub)
1title: MMC Spawning Windows Shell
2id: 05a2ab7e-ce11-4b63-86db-ab32e763e11d
3status: test
4description: Detects a Windows command line executable started from MMC
5references:
6 - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
7author: Karneades, Swisscom CSIRT
8date: 2019-08-05
9modified: 2022-07-14
10tags:
11 - attack.lateral-movement
12 - attack.t1021.003
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection1:
18 ParentImage|endswith: '\mmc.exe'
19 selection2:
20 - Image|endswith:
21 - '\cmd.exe'
22 - '\powershell.exe'
23 - '\pwsh.exe'
24 - '\wscript.exe'
25 - '\cscript.exe'
26 - '\sh.exe'
27 - '\bash.exe'
28 - '\reg.exe'
29 - '\regsvr32.exe'
30 - Image|contains: '\BITSADMIN'
31 condition: all of selection*
32fields:
33 - CommandLine
34 - Image
35 - ParentCommandLine
36level: high
References
-
For those of you who conduct pentests or red team assessments, you are probably aware that there are only so many ways to pivot, or conduct lateral movement to a Windows system. Some of those techn…
Read More
Related rules
- DCOM InternetExplorer.Application Iertutil DLL Hijack - Security
- HackTool - Potential Impacket Lateral Movement Activity
- Potential DCOM InternetExplorer.Application DLL Hijack
- Potential DCOM InternetExplorer.Application DLL Hijack - Image Load
- Remote DCOM/WMI Lateral Movement