MMC Spawning Windows Shell

Hunt Hypothesis

Detects a Windows command line executable started from MMC

Detection Rule

Sigma (Original)

title: MMC Spawning Windows Shell
id: 05a2ab7e-ce11-4b63-86db-ab32e763e11d
status: test
description: Detects a Windows command line executable started from MMC
references:
    - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
author: Karneades, Swisscom CSIRT
date: 2019-08-05
modified: 2022-07-14
tags:
    - attack.lateral-movement
    - attack.t1021.003
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        ParentImage|endswith: '\mmc.exe'
    selection2:
        - Image|endswith:
              - '\cmd.exe'
              - '\powershell.exe'
              - '\pwsh.exe'
              - '\wscript.exe'
              - '\cscript.exe'
              - '\sh.exe'
              - '\bash.exe'
              - '\reg.exe'
              - '\regsvr32.exe'
        - Image|contains: '\BITSADMIN'
    condition: all of selection*
level: high

KQL (Azure Sentinel)

imProcessCreate
| where (ParentProcessName endswith "\\mmc.exe" or ActingProcessName endswith "\\mmc.exe") and ((TargetProcessName endswith "\\cmd.exe" or TargetProcessName endswith "\\powershell.exe" or TargetProcessName endswith "\\pwsh.exe" or TargetProcessName endswith "\\wscript.exe" or TargetProcessName endswith "\\cscript.exe" or TargetProcessName endswith "\\sh.exe" or TargetProcessName endswith "\\bash.exe" or TargetProcessName endswith "\\reg.exe" or TargetProcessName endswith "\\regsvr32.exe") or TargetProcessName contains "\\BITSADMIN")

Required Data Sources

False Positive Guidance

No known false positives documented.

MITRE ATT&CK Context

• Tactic: Lateral Movement
• Technique: T1021.003 — T1021.003

References

• https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
• SigmaHQ Rule