Adversaries may abuse mmc.exe to proxy execution of malicious .msc files. Microsoft Management Console (MMC) is a binary that may be signed by Microsoft and is used in several ways in either its GUI or in a command prompt.[1][2] MMC can be used to create, open, and save custom consoles that contain administrative tools created by Microsoft, called snap-ins. These snap-ins may be used to manage Windows systems locally or remotely. MMC can also be used to open Microsoft created .msc files to manage system configuration.[3]
For example, mmc C:\Users\foo\admintools.msc /a will open a custom, saved console msc file in author mode.[1] Another common example is mmc gpedit.msc, which will open the Group Policy Editor application window.
Adversaries may use MMC commands to perform malicious tasks. For example, mmc wbadmin.msc delete catalog -quiet deletes the backup catalog on the system (i.e. Inhibit System Recovery) without prompts to the user (Note: wbadmin.msc may only be present by default on Windows Server operating systems).[4][5]
Adversaries may also abuse MMC to execute malicious .msc files. For example, adversaries may first create a malicious registry Class Identifier (CLSID) subkey, which uniquely identifies a Component Object Model class object.[6] Then, adversaries may create custom consoles with the "Link to Web Address" snap-in that is linked to the malicious CLSID subkey.[7] Once the .msc file is saved, adversaries may invoke the malicious CLSID payload with the following command: mmc.exe -Embedding C:\path\to\test.msc.[8]
| ID | Name | Description |
|---|---|---|
| G1051 | Medusa Group |
Medusa Group has leveraged Microsoft Management Console (MMC) to facilitate lateral movement and to interact locally or remotely with victim devices using the command |
| C0047 | RedDelta Modified PlugX Infection Chain Operations |
Mustang Panda used Microsoft Management Console Snap-In Control files, or MSC files, executed via MMC to run follow-on PowerShell commands during RedDelta Modified PlugX Infection Chain Operations.[10] |
| ID | Mitigation | Description |
|---|---|---|
| M1042 | Disable or Remove Feature or Program |
MMC may not be necessary within a given environment since it is primarily used by system administrators, not regular users or clients. |
| M1038 | Execution Prevention |
Use application control configured to block execution of MMC if it is not required for a given system or network to prevent potential misuse by adversaries. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0222 | Detecting MMC (.msc) Proxy Execution and Malicious COM Activation | AN0622 |
Abuse of mmc.exe to execute non-Microsoft or user-staged .msc files and malicious COM CLSIDs. Behavioral chain: (1) suspicious mmc.exe invocation with /a or -Embedding and non-standard .msc path → (2) COM activation of non-baseline CLSIDs by mmc.exe → (3) mmc.exe loads non-baseline DLLs (user-writable/UNC/unsigned) → (4) optional network/DNS activity from mmc.exe. |