legitimate administrative actions using mmc to execute misnamed `.msc` files.

t1036
t1036.002
t1204
t1204.002
t1218
t1218.014
windows
sigma

Techniques

t1036
t1036.002
t1204
t1204.002
t1218
t1218.014

Sample rules

MMC Executing Files with Reversed Extensions Using RTLO Abuse

source: sigma
technicques:
- t1036
- t1036.002
- t1204
- t1204.002
- t1218
- t1218.014

Description

Detects malicious behavior where the MMC utility (mmc.exe) executes files with reversed extensions caused by Right-to-Left Override (RLO) abuse, disguising them as document formats.

Detection logic

condition: all of selection_*
selection_commandline:
  CommandLine|contains:
  - cod.msc
  - fdp.msc
  - ftr.msc
  - lmth.msc
  - slx.msc
  - tdo.msc
  - xcod.msc
  - xslx.msc
  - xtpp.msc
selection_image:
- Image|endswith: \mmc.exe
- OriginalFileName: MMC.exe