Process

unknown

mmc.exe

mmc.exe is the Microsoft Management Console, the host that runs the administrative snap-ins behind tools like Services, Event Viewer, and Device Manager. Administrators use it constantly. Attackers abuse it both as a signed proxy for execution and as a remote-execution path through its COM interface.

CategoryUtilityTagsmicrosoftcore-windowslolbin

File identity

File details

Not observed.

Signing information

Not observed.

File version0

Not observed.

File size0

Not observed.

Execution context

File paths0

Not observed.

User context0

Not observed.

Integrity level0

Not observed.

Instances0

Not observed.

Session0

Not observed.

Token privileges0

Not observed.

Ancestry

Parents0

Not observed.

Children0

Not observed.

Grandparents0

Not observed.

Grandchildren0

Not observed.

Behavior

Loaded modules0

Not observed.

Named pipes0

Not observed.

Process handles0

Not observed.

Command-line patterns0

Not observed.

LOLBAS3
  • mmc.exe -Embedding {PATH_ABSOLUTE:.msc}Execute · Configure a snap-in to load a COM custom class (CLSID) that has been added to the registry
  • mmc.exe gpedit.mscUAC Bypass · Modify HKCU\Environment key in Registry with COR profiler values then launch MMC to load the payload DLL.
  • mmc.exe -Embedding {PATH_ABSOLUTE:.msc}Download · Download file from Internet

View LOLBAS entry

Indicators

Hashes

Not observed.

Analysis

About this process

mmc.exe loads management snap-ins, the modular consoles saved as .msc files, that administer parts of Windows. Opening Services, Event Viewer, or a custom .msc runs through mmc.exe. It also exposes a COM automation object, MMC20.Application, that can be driven locally or, over DCOM, remotely. The genuine binary lives at C:\Windows\System32\mmc.exe.

Legitimately, mmc is launched by administrators opening management consoles, so the process is ordinary on managed systems. The snap-in or .msc it loads, its parent, and whether it was driven through COM are what give an instance meaning.

Security notes

mmc.exe is a system-binary proxy (T1218.014). A crafted .msc can run a command or load a snap-in that executes attacker code under a trusted, signed Microsoft process, bypassing application-control rules that allow mmc. A .msc from a temp or download folder, or mmc spawning a shell, points to this.

mmc is also a lateral-movement path through DCOM. The MMC20.Application COM object can be instantiated on a remote machine and told to run a command, so the payload executes as a child of mmc.exe on the target rather than as a child of whatever reached in over the network. An mmc that spawns a shell with no interactive console open, especially one created via DCOM, is the case to investigate.

Anomaly signals5
  • Image path other than C:\Windows\System32\mmc.exehigh
  • A .msc loaded from a user-writable path (Temp, AppData, Downloads)high
  • mmc spawning cmd.exe, powershell.exe, or other LOLBINshigh
  • mmc started as a DCOM object (MMC20.Application) by a remote requesthigh
  • Parent is an Office application, a script host, or an unfamiliar processhigh

Telemetry

OS prevalence0

Not observed.

Observation timeline

Not observed.

References

Subsearch

Hasbeen seen inof mmc.exe?
Edit this page on GitHub