Adversaries may abuse mmc.exe to proxy execution of malicious .msc files. Microsoft Management Console (MMC) is a binary that may be signed by Microsoft and is used in several ways in either its GUI or in a command prompt.(Citation: win_mmc)(Citation: what_is_mmc) MMC can be used to create, open, and save custom consoles that contain administrative tools created by Microsoft, called snap-ins. These snap-ins may be used to manage Windows systems locally or remotely. MMC can also be used to open Microsoft created .msc files to manage system configuration.(Citation: win_msc_files_overview)
For example, <code>mmc C:\Users\foo\admintools.msc /a</code> will open a custom, saved console msc file in author mode.(Citation: win_mmc) Another common example is <code>mmc gpedit.msc</code>, which will open the Group Policy Editor application window.
Adversaries may use MMC commands to perform malicious tasks. For example, <code>mmc wbadmin.msc delete catalog -quiet</code> deletes the backup catalog on the system (i.e. Inhibit System Recovery) without prompts to the user (Note: <code>wbadmin.msc</code> may only be present by default on Windows Server operating systems).(Citation: win_wbadmin_delete_catalog)(Citation: phobos_virustotal)
Adversaries may also abuse MMC to execute malicious .msc files. For example, adversaries may first create a malicious registry Class Identifier (CLSID) subkey, which uniquely identifies a Component Object Model class object.(Citation: win_clsid_key) Then, adversaries may create custom consoles with the “Link to Web Address” snap-in that is linked to the malicious CLSID subkey.(Citation: mmc_vulns) Once the .msc file is saved, adversaries may invoke the malicious CLSID payload with the following command: <code>mmc.exe -Embedding C:\path\to\test.msc</code>.(Citation: abusing_com_reg)
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
---|---|---|---|---|
CM-11 | User-installed Software | Protects | T1218.014 | MMC |
CM-02 | Baseline Configuration | Protects | T1218.014 | MMC |
CM-06 | Configuration Settings | Protects | T1218.014 | MMC |
CM-07 | Least Functionality | Protects | T1218.014 | MMC |
CM-08 | System Component Inventory | Protects | T1218.014 | MMC |
RA-05 | Vulnerability Monitoring and Scanning | Protects | T1218.014 | MMC |
SI-10 | Information Input Validation | Protects | T1218.014 | MMC |
SI-16 | Memory Protection | Protects | T1218.014 | MMC |
SI-03 | Malicious Code Protection | Protects | T1218.014 | MMC |
SI-04 | System Monitoring | Protects | T1218.014 | MMC |
SI-07 | Software, Firmware, and Information Integrity | Protects | T1218.014 | MMC |