Detection rules › Sigma
MMC Loading Script Engines DLLs
Detects when the Microsoft Management Console (MMC) loads the DLL libraries like vbscript, jscript etc which might indicate an attempt to execute malicious scripts within a trusted system process for bypassing application whitelisting or defense evasion.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1059.005 Command and Scripting Interpreter: Visual Basic |
| Defense Evasion | T1218.014 System Binary Proxy Execution: MMC |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 7 | Image loaded |
Stages and Predicates
Stage 1: selection
or:
ImageLoaded|endswith: '\jscript.dll'
ImageLoaded|endswith: '\jscript9.dll'
ImageLoaded|endswith: '\vbscript.dll'
Image|endswith: '\mmc.exe'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Image | ends_with |
|
ImageLoaded | ends_with |
|