a possible false positive (fp) for the execution of .msc files is legitimate administrative activity, since .msc files are standard microsoft management console snap-ins used for system administration.

Techniques

T1218.014

Sample rules

Windows Execution of Microsoft MSC File In Suspicious Path

source: splunk
technicques:
- T1218.014

Description

The following analytic detects when a Microsoft Management Console (MMC) process executes an .msc file in a suspicious path on a Windows system. While .msc files are legitimate components used for system administration, unexpected execution of these files by non-administrative processes or in unusual contexts can indicate malicious activity, such as living-off-the-land attacks, persistence mechanisms, or automated administrative abuse. This detection monitors process creation events, command-line arguments, and parent process relationships to help distinguish normal administrative usage from potential threats. Alerts should be investigated in the context of the process initiating the .msc file, the target system, and any subsequent network or system activity, as routine administrative tasks may also trigger this behavior.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime from datamodel=Endpoint.Processes 
where (Processes.process_name=mmc.exe)  
AND Processes.process = "*.msc*" 
AND Processes.process IN (
  "*\\PerfLogs\\*",
  "*\\programdata\\*"
  "*Recycle.bin*",
  "*\\Download*",
  "*\\temp\\*",
  "*\\Users\\Administrator\\Music\\*",
  "*\\Users\\Default\\*",
  "*\\Users\\Public\\*",
  "*\\Users\\Administrator\\Music\\*",
  "*:\\Windows\\Prefetch\\*", 
  "*:\\Windows\\Cursors\\*", 
  "*:\\Windows\\INF\\*"
  "*:\\Windows\\debug\\*",
  "*:\\Windows\\fonts\\*",
  "*:\\Windows\\Media\\*",
  "*:\\Windows\\repair\\*",
  "*:\\Windows\\servicing\\*",
  )
AND NOT (Processes.process IN ("*C:\\Windows\\System32\\eventvwr.msc*", "*C:\\Windows\\System32\\certmgr.msc*"))

by Processes.action
Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec
Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name
Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name
Processes.process_path Processes.user Processes.user_id Processes.vendor_product

| `drop_dm_object_name(Processes)` 

| `security_content_ctime(firstTime)` 

| `security_content_ctime(lastTime)`

| `windows_execution_of_microsoft_msc_file_in_suspicious_path_filter`