title: MMC Spawning Windows Shell
id: 05a2ab7e-ce11-4b63-86db-ab32e763e11d
status: experimental
description: Detects a Windows command line executable started from MMC
author: Karneades, Swisscom CSIRT
date: 2019/08/05
modified: 2020/09/01
references:
    - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
tags:
    - attack.lateral_movement
    - attack.t1175          # an old one
    - attack.t1021.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\mmc.exe'
    selection2:
        - Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\wscript.exe'
            - '\cscript.exe'
            - '\sh.exe'
            - '\bash.exe'
            - '\reg.exe'
            - '\regsvr32.exe'
        - Image|contains:
            - '\BITSADMIN'
    condition: selection and selection2
fields:
    - CommandLine
    - Image
    - ParentCommandLine
level: high