Description
Adversaries may abuse mmc.exe to proxy execution of malicious .msc files. Microsoft Management Console (MMC) is a binary that may be signed by Microsoft and is used in several ways in either its GUI or in a command prompt.(Citation: win_mmc)(Citation: what_is_mmc) MMC can be used to create, open, and save custom consoles that contain administrative tools created by Microsoft, called snap-ins. These snap-ins may be used to manage Windows systems locally or remotely. MMC can also be used to open Microsoft created .msc files to manage system configuration.(Citation: win_msc_files_overview)
For example, mmc C:\Users\foo\admintools.msc /a will open a custom, saved console msc file in author mode.(Citation: win_mmc) Another common example is mmc gpedit.msc, which will open the Group Policy Editor application window.
Adversaries may use MMC commands to perform malicious tasks. For example, mmc wbadmin.msc delete catalog -quiet deletes the backup catalog on the system (i.e. Inhibit System Recovery) without prompts to the user (Note: wbadmin.msc may only be present by default on Windows Server operating systems).(Citation: win_wbadmin_delete_catalog)(Citation: phobos_virustotal)
Adversaries may also abuse MMC to execute malicious .msc files. For example, adversaries may first create a malicious registry Class Identifier (CLSID) subkey, which uniquely identifies a Component Object Model class object.(Citation: win_clsid_key) Then, adversaries may create custom consoles with the “Link to Web Address” snap-in that is linked to the malicious CLSID subkey.(Citation: mmc_vulns) Once the .msc file is saved, adversaries may invoke the malicious CLSID payload with the following command: mmc.exe -Embedding C:\path\to\test.msc.(Citation: abusing_com_reg)
Platforms
Mitigations (2)
Disable or Remove Feature or ProgramM1042
MMC may not be necessary within a given environment since it is primarily used by system administrators, not regular users or clients.
Execution PreventionM1038
Use application control configured to block execution of MMC if it is not required for a given system or network to prevent potential misuse by adversaries.
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G1051 | Medusa Group | [Medusa Group](https://attack.mitre.org/groups/G1051) has leveraged Microsoft Management Console (MMC) to facilitate lateral movement and to interact ... |
References
- bohops. (2018, August 18). ABUSING THE COM REGISTRY STRUCTURE (PART 2): HIJACKING & LOADING TECHNIQUES. Retrieved September 20, 2021.
- Boxiner, A., Vaknin, E. (2019, June 11). Microsoft Management Console (MMC) Vulnerabilities. Retrieved September 24, 2021.
- Brinkmann, M.. (2017, June 10). Windows .msc files overview. Retrieved September 20, 2021.
- Microsoft. (2017, October 16). mmc. Retrieved September 20, 2021.
- Microsoft. (2017, October 16). wbadmin delete catalog. Retrieved September 20, 2021.
- Microsoft. (2018, May 31). CLSID Key. Retrieved September 24, 2021.
- Microsoft. (2020, September 27). What is Microsoft Management Console?. Retrieved October 5, 2021.
- Phobos Ransomware. (2020, December 30). Phobos Ransomware, Fast.exe. Retrieved September 20, 2021.
Frequently Asked Questions
What is T1218.014 (MMC)?
T1218.014 is a MITRE ATT&CK technique named 'MMC'. It belongs to the Stealth tactic(s). Adversaries may abuse mmc.exe to proxy execution of malicious .msc files. Microsoft Management Console (MMC) is a binary that may be signed by Microsoft and is used in several ways in either its GUI o...
How can T1218.014 be detected?
Detection of T1218.014 (MMC) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1218.014?
There are 2 documented mitigations for T1218.014. Key mitigations include: Disable or Remove Feature or Program, Execution Prevention.
Which threat groups use T1218.014?
Known threat groups using T1218.014 include: Medusa Group.