rules/windows/process_creation/win_mmc_spawn_shell.yml

title: MMC Spawning Windows Shell
id: 05a2ab7e-ce11-4b63-86db-ab32e763e11d
status: experimental
description: Detects a Windows command line executable started from MMC
author: Karneades, Swisscom CSIRT
date: 2019/08/05
modified: 2020/09/01
references:
    - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
tags:
    - attack.lateral_movement
    - attack.t1175          # an old one
    - attack.t1021.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\mmc.exe'
    selection2:
        - Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\wscript.exe'
            - '\cscript.exe'
            - '\sh.exe'
            - '\bash.exe'
            - '\reg.exe'
            - '\regsvr32.exe'
        - Image|contains:
            - '\BITSADMIN'
    condition: selection and selection2
fields:
    - CommandLine
    - Image
    - ParentCommandLine
level: high
Add new rule for detecting MMC spawning a shell 2019-08-05 18:42:31 +02:00			`title: MMC Spawning Windows Shell`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: 05a2ab7e-ce11-4b63-86db-ab32e763e11d`
Add new rule for detecting MMC spawning a shell 2019-08-05 18:42:31 +02:00			`status: experimental`
review windows/process_creation part 4 2020-09-02 02:34:34 +02:00			`description: Detects a Windows command line executable started from MMC`
Add new rule for detecting MMC spawning a shell 2019-08-05 18:42:31 +02:00			`author: Karneades, Swisscom CSIRT`
fix: fixed missing date fields in remaining files 2020-01-30 16:07:37 +01:00			`date: 2019/08/05`
review windows/process_creation part 4 2020-09-02 02:34:34 +02:00			`modified: 2020/09/01`
			`references:`
			`- https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/`
Add new rule for detecting MMC spawning a shell 2019-08-05 18:42:31 +02:00			`tags:`
			`- attack.lateral_movement`
review windows/process_creation part 4 2020-09-02 02:34:34 +02:00			`- attack.t1175 # an old one`
			`- attack.t1021.003`
Add new rule for detecting MMC spawning a shell 2019-08-05 18:42:31 +02:00			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
			`selection:`
Update win_mmc_spawn_shell.yml 2020-10-15 18:09:27 -03:00			`ParentImage\|endswith: '\mmc.exe'`
Update win_mmc_spawn_shell.yml 2020-11-27 15:42:22 -03:00			`selection2:`
			`- Image\|endswith:`
Update win_mmc_spawn_shell.yml 2020-10-15 18:08:49 -03:00			`- '\cmd.exe'`
			`- '\powershell.exe'`
			`- '\wscript.exe'`
			`- '\cscript.exe'`
			`- '\sh.exe'`
			`- '\bash.exe'`
			`- '\reg.exe'`
			`- '\regsvr32.exe'`
Update win_mmc_spawn_shell.yml 2020-11-27 15:42:22 -03:00			`- Image\|contains:`
			`- '\BITSADMIN'`
			`condition: selection and selection2`
Add new rule for detecting MMC spawning a shell 2019-08-05 18:42:31 +02:00			`fields:`
			`- CommandLine`
			`- Image`
			`- ParentCommandLine`
			`level: high`