Abuse of mmc.exe to execute non-Microsoft or user-staged .msc files and malicious COM CLSIDs. Behavioral chain: (1) suspicious mmc.exe invocation with /a or -Embedding and non-standard .msc path → (2) COM activation of non-baseline CLSIDs by mmc.exe → (3) mmc.exe loads non-baseline DLLs (user-writable/UNC/unsigned) → (4) optional network/DNS activity from mmc.exe.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Windows Registry Key Creation (DC0056) | WinEventLog:Sysmon | EventCode=12 |
| Windows Registry Key Modification (DC0063) | WinEventLog:Sysmon | EventCode=13 |
| OS API Execution (DC0021) | WinEventLog:Microsoft-Windows-COM/Operational | CLSID activation events where ProcessName=mmc.exe and CLSID not in allowed baseline |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Command Execution (DC0064) | WinEventLog:PowerShell | EventCode=4104 |
| Field | Description |
|---|---|
| TimeWindow | Correlation window (e.g., 5–10 minutes) tying .msc creation → mmc.exe start → module loads → COM/net activity. |
| AllowedMSCList | Set of Microsoft-supplied .msc names/paths allowed in the environment to suppress noise. |
| SuspiciousMSCPathRegex | Regex for user-writable and network paths indicating risky .msc staging (Users, AppData, Downloads, Desktop, UNC). |
| AllowedCLSIDs | Baseline of CLSIDs expected to be activated by mmc.exe; alert on unknown/new. |
| ParentProcessAllowList | Expected parents for mmc.exe (explorer.exe, services) vs. unusual (powershell, wscript, office apps). |
| SignedToUnsignedTransition | Flag when signed mmc.exe results in loading unsigned DLLs. |
| ExternalIPAllowlist | Approved external ranges/domains to exclude when mmc.exe makes network requests. |