T1218.014 MMC
Adversaries may abuse mmc.exe to proxy execution of malicious .msc files. Microsoft Management Console (MMC) is a binary that may be signed by Microsoft and is used in several ways in either its GUI or in a command prompt.47 MMC can be used to create, open, and save custom consoles that contain administrative tools created by Microsoft, called snap-ins. These snap-ins may be used to manage Windows systems locally or remotely. MMC can also be used to open Microsoft created .msc files to manage system configuration.3
For example, mmc C:\Users\foo\admintools.msc /a
will open a custom, saved console msc file in author mode.4 Another common example is mmc gpedit.msc
, which will open the Group Policy Editor application window.
Adversaries may use MMC commands to perform malicious tasks. For example, mmc wbadmin.msc delete catalog -quiet
deletes the backup catalog on the system (i.e. Inhibit System Recovery) without prompts to the user (Note: wbadmin.msc
may only be present by default on Windows Server operating systems).58
Adversaries may also abuse MMC to execute malicious .msc files. For example, adversaries may first create a malicious registry Class Identifier (CLSID) subkey, which uniquely identifies a Component Object Model class object.6 Then, adversaries may create custom consoles with the “Link to Web Address” snap-in that is linked to the malicious CLSID subkey.2 Once the .msc file is saved, adversaries may invoke the malicious CLSID payload with the following command: mmc.exe -Embedding C:\path\to\test.msc
.1
Item | Value |
---|---|
ID | T1218.014 |
Sub-techniques | T1218.001, T1218.002, T1218.003, T1218.004, T1218.005, T1218.007, T1218.008, T1218.009, T1218.010, T1218.011, T1218.012, T1218.013, T1218.014 |
Tactics | TA0005 |
Platforms | Windows |
Version | 2.0 |
Created | 28 September 2021 |
Last Modified | 20 May 2022 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1042 | Disable or Remove Feature or Program | MMC may not be necessary within a given environment since it is primarily used by system administrators, not regular users or clients. |
M1038 | Execution Prevention | Use application control configured to block execution of MMC if it is not required for a given system or network to prevent potential misuse by adversaries. |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0022 | File | File Creation |
DS0009 | Process | Process Creation |
References
-
bohops. (2018, August 18). ABUSING THE COM REGISTRY STRUCTURE (PART 2): HIJACKING & LOADING TECHNIQUES. Retrieved September 20, 2021. ↩
-
Boxiner, A., Vaknin, E. (2019, June 11). Microsoft Management Console (MMC) Vulnerabilities. Retrieved September 24, 2021. ↩
-
Brinkmann, M.. (2017, June 10). Windows .msc files overview. Retrieved September 20, 2021. ↩
-
Microsoft. (2017, October 16). mmc. Retrieved September 20, 2021. ↩↩
-
Microsoft. (2017, October 16). wbadmin delete catalog. Retrieved September 20, 2021. ↩
-
Microsoft. (2018, May 31). CLSID Key. Retrieved September 24, 2021. ↩
-
Microsoft. (2020, September 27). What is Microsoft Management Console?. Retrieved October 5, 2021. ↩
-
Phobos Ransomware. (2020, December 30). Phobos Ransomware, Fast.exe. Retrieved September 20, 2021. ↩