MMC Spawning Windows Shell
Detects a Windows command line executable started from MMC
Sigma rule (View on GitHub)
1title: MMC Spawning Windows Shell
2id: 05a2ab7e-ce11-4b63-86db-ab32e763e11d
3status: test
4description: Detects a Windows command line executable started from MMC
5references:
6 - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
7author: Karneades, Swisscom CSIRT
8date: 2019/08/05
9modified: 2022/07/14
10tags:
11 - attack.lateral_movement
12 - attack.t1021.003
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection1:
18 ParentImage|endswith: '\mmc.exe'
19 selection2:
20 - Image|endswith:
21 - '\cmd.exe'
22 - '\powershell.exe'
23 - '\pwsh.exe'
24 - '\wscript.exe'
25 - '\cscript.exe'
26 - '\sh.exe'
27 - '\bash.exe'
28 - '\reg.exe'
29 - '\regsvr32.exe'
30 - Image|contains: '\BITSADMIN'
31 condition: all of selection*
32fields:
33 - CommandLine
34 - Image
35 - ParentCommandLine
36level: high
References
Related rules
- Suspicious WSMAN Provider Image Loads
- Possible Impacket DCOMExec Connection Attempt - Zeek
- Remote DCOM/WMI Lateral Movement
- Potential DCOM InternetExplorer.Application DLL Hijack - Image Load
- HackTool - Potential Impacket Lateral Movement Activity