Common Information
| Type | Value |
|---|---|
| Value |
MMC - T1218.014 |
| Category | Attack-Pattern |
| Type | Mitre-Attack-Pattern |
| Misp Type | Cluster |
| Description | Adversaries may abuse mmc.exe to proxy execution of malicious .msc files. Microsoft Management Console (MMC) is a binary that may be signed by Microsoft and is used in several ways in either its GUI or in a command prompt.(Citation: win_mmc)(Citation: what_is_mmc) MMC can be used to create, open, and save custom consoles that contain administrative tools created by Microsoft, called snap-ins. These snap-ins may be used to manage Windows systems locally or remotely. MMC can also be used to open Microsoft created .msc files to manage system configuration.(Citation: win_msc_files_overview) For example, <code>mmc C:\Users\foo\admintools.msc /a</code> will open a custom, saved console msc file in author mode.(Citation: win_mmc) Another common example is <code>mmc gpedit.msc</code>, which will open the Group Policy Editor application window. Adversaries may use MMC commands to perform malicious tasks. For example, <code>mmc wbadmin.msc delete catalog -quiet</code> deletes the backup catalog on the system (i.e. [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490)) without prompts to the user (Note: <code>wbadmin.msc</code> may only be present by default on Windows Server operating systems).(Citation: win_wbadmin_delete_catalog)(Citation: phobos_virustotal) Adversaries may also abuse MMC to execute malicious .msc files. For example, adversaries may first create a malicious registry Class Identifier (CLSID) subkey, which uniquely identifies a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) class object.(Citation: win_clsid_key) Then, adversaries may create custom consoles with the “Link to Web Address” snap-in that is linked to the malicious CLSID subkey.(Citation: mmc_vulns) Once the .msc file is saved, adversaries may invoke the malicious CLSID payload with the following command: <code>mmc.exe -Embedding C:\path\to\test.msc</code>.(Citation: abusing_com_reg) |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2025-04-21 | 7 | 多阶段恶意攻击利用.JSE 和 PowerShell 部署 Agent Tesla 与 XLoader 恶意软件-安全KER - 安全资讯平台 | ||
| Details | Website | 2025-04-19 | 5 | Stealthy Malware Attacks Leveraging .JSE and PowerShell: A Multi-Stage Threat Unfolds | ||
| Details | Website | 2025-04-18 | 12 | 黑客利用 MMC 脚本发动攻击,部署 MysterySnail RAT 威胁系统安全-安全KER - 安全资讯平台 | ||
| Details | Website | 2025-04-18 | 2 | Chinese hackers target Russian govt with upgraded RAT malware | ||
| Details | Website | 2025-04-17 | 20 | Новая версия MysterySnail RAT и облегченный бэкдор MysteryMonoSnail | ||
| Details | Website | 2025-04-17 | 20 | IronHusky updates the forgotten MysterySnail RAT to target Russia and Mongolia | ||
| Details | Website | 2025-04-17 | 21 | New version of MysterySnail RAT and lightweight MysteryMonoSnail backdoor | ||
| Details | Website | 2025-04-10 | 13 | 關於分分鐘拿下整個網域,你還疏忽了什麼? | DEVCORE 戴夫寇爾 | ||
| Details | Website | 2025-04-08 | 8 | 2.6万暗网论坛帖子揭示网络攻击日益复杂,OTP 机器人成为黑客新宠;HellCat利用被窃Jira凭证攻击四家企业 | 牛览 - 安全牛 | ||
| Details | Website | 2025-04-07 | 1639 | US-CERT Vulnerability Summary for the Week of March 31, 2025 - RedPacket Security | ||
| Details | Website | 2025-04-04 | 0 | This Week’s Threat Landscape-Critical Vulnerabilities, Zero-Days, and Botnets | ||
| Details | Website | 2025-04-01 | 9 | 31st March – Threat Intelligence Report | ||
| Details | Website | 2025-04-01 | 9 | 31st March – Threat Intelligence Report - Check Point Research | ||
| Details | Website | 2025-03-31 | 0 | The PIN is Mightier Than the Face | ||
| Details | Website | 2025-03-31 | 5 | My First Malware Analysis: A Dive into Adylkuzz | ||
| Details | Website | 2025-03-28 | 11 | Cybersecurity News Review — Week 13 (2025) | ||
| Details | Website | 2025-03-28 | 25 | Cyber Chaos Unfolds: Zero-Days, Botnets & Espionage Surge This Week | ||
| Details | Website | 2025-03-28 | 2 | The Good, the Bad and the Ugly in Cybersecurity - Week 13 | ||
| Details | Website | 2025-03-27 | 2 | 警惕!EncryptHub 利用 Windows Zero-Day 漏洞部署 Rhadamanthys 与 StealC 恶意软件-安全KER - 安全资讯平台 | ||
| Details | Website | 2025-03-26 | 2 | EncryptHub linked to MMC zero-day attacks on Windows systems - PRSOL:CC | ||
| Details | Website | 2025-03-26 | 0 | Windows-targeted EncryptHub attacks involve MMC zero-day exploitation | ||
| Details | Website | 2025-03-26 | 3 | Windows MMC Framework Zero-Day Exploited to Execute Malicious Code | ||
| Details | Website | 2025-03-26 | 64 | CVE-2025-26633: Water Gamayun использует MUIPath с помощью MSC EvilTwin - SEC-1275-1 | ||
| Details | Website | 2025-03-26 | 0 | Russian Ransomware Gang Exploited Windows Zero-Day Before Patch | Antivirus and Security news | ||
| Details | Website | 2025-03-25 | 12 | CVE-2025-26633: How Water Gamayun Weaponizes MUIPath using MSC EvilTwin |