Techniques
Sample rules
MMC Loading Script Engines DLLs
- source: sigma
- technicques:
- t1059
- t1059.005
- t1218
- t1218.014
Description
Detects when the Microsoft Management Console (MMC) loads the DLL libraries like vbscript, jscript etc which might indicate an attempt to execute malicious scripts within a trusted system process for bypassing application whitelisting or defense evasion.
Detection logic
condition: selection
selection:
ImageLoaded|endswith:
- \vbscript.dll
- \jscript.dll
- \jscript9.dll
Image|endswith: \mmc.exe