Query Details
Suspicious MSC
Query
# Rule Documentation: Suspicious Microsoft Common Console file Execution
## Description
Detects Microsoft Management Console (MMC) Microsoft Common Console file Execution
https://www.genians.co.kr/blog/threat_intelligence/facebook
## Detection Logic
- Filters `DeviceProcessEvents` for MMC executions containing "mmc" and ".msc".
- Excludes processes from `C:\Windows\system32\`.
- Filters out "vbc.exe" and "WerFault.exe".
## Tags
- Execution Monitoring
- Privilege Escalation
## Search Query
```kql
DeviceProcessEvents
| where InitiatingProcessCommandLine has_all ("mmc", @".msc")
| where not(InitiatingProcessCommandLine matches regex @"(?i)[A-Za-z]:\\Windows\\system32\\.*")
| where ProcessVersionInfoInternalFileName !in ("vbc.exe", "WerFault.exe")
Explanation
This query is designed to detect suspicious executions of Microsoft Management Console (MMC) files. Here's a simple breakdown of what it does:
- Look for MMC Executions: It searches for events where the command line includes both "mmc" and ".msc".
- Exclude System32 Directory: It ignores any processes that are running from the
C:\Windows\system32\directory. - Filter Out Specific Processes: It also excludes processes named "vbc.exe" and "WerFault.exe".
In summary, this query identifies potentially suspicious MMC file executions that are not originating from the standard system directory and are not associated with certain known processes.
Details
Ali Hussein
Released: May 16, 2024
Tables
DeviceProcessEvents
Keywords
DeviceProcessEvents
Operators
has_all@matches regexnot!in