LoFP LoFP / legitimate mmc operations or extensions loading these libraries

Techniques

Sample rules

MMC Loading Script Engines DLLs

Description

Detects when the Microsoft Management Console (MMC) loads the DLL libraries like vbscript, jscript etc which might indicate an attempt to execute malicious scripts within a trusted system process for bypassing application whitelisting or defense evasion.

Detection logic

condition: selection
selection:
  ImageLoaded|endswith:
  - \vbscript.dll
  - \jscript.dll
  - \jscript9.dll
  Image|endswith: \mmc.exe