From e84f85a93bb25fb41c2e2348fbad87a6967002e7 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Fri, 6 Feb 2026 10:27:38 +0100 Subject: [PATCH 01/10] xml_runner --- ..._or_script_creation_in_suspicious_path.yml | 5 +- ...tables_or_script_creation_in_temp_path.yml | 5 +- .../mmc_lolbas_execution_process_spawn.yml | 23 +++--- ...n_of_microsoft_management_console_file.yml | 79 +++++++++++++++++++ .../windows_mmc_loads_script_dlls.yml | 67 ++++++++++++++++ stories/xml_runner.yml | 19 +++++ 6 files changed, 184 insertions(+), 14 deletions(-) create mode 100644 detections/endpoint/windows_execution_of_microsoft_management_console_file.yml create mode 100644 detections/endpoint/windows_mmc_loads_script_dlls.yml create mode 100644 stories/xml_runner.yml diff --git a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml index bc26c2ba3b..6d1b3b1983 100644 --- a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml +++ b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml @@ -1,7 +1,7 @@ name: Executables Or Script Creation In Suspicious Path id: a7e3f0f0-ae42-11eb-b245-acde48001122 -version: 22 -date: '2026-01-20' +version: 23 +date: '2026-02-03' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -151,6 +151,7 @@ tags: - Lokibot - Castle RAT - SesameOp + - XML Runner asset_type: Endpoint mitre_attack_id: - T1036 diff --git a/detections/endpoint/executables_or_script_creation_in_temp_path.yml b/detections/endpoint/executables_or_script_creation_in_temp_path.yml index 4d5a05588d..4efc4e1c7c 100644 --- a/detections/endpoint/executables_or_script_creation_in_temp_path.yml +++ b/detections/endpoint/executables_or_script_creation_in_temp_path.yml @@ -1,7 +1,7 @@ name: Executables Or Script Creation In Temp Path id: e0422b71-2c05-4f32-8754-01fb415f49c9 -version: 18 -date: '2026-01-20' +version: 19 +date: '2026-02-03' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -137,6 +137,7 @@ tags: - Lokibot - SesameOp - PromptFlux + - XML Runner asset_type: Endpoint mitre_attack_id: - T1036 diff --git a/detections/endpoint/mmc_lolbas_execution_process_spawn.yml b/detections/endpoint/mmc_lolbas_execution_process_spawn.yml index 39a168b94f..d79e3a4370 100644 --- a/detections/endpoint/mmc_lolbas_execution_process_spawn.yml +++ b/detections/endpoint/mmc_lolbas_execution_process_spawn.yml @@ -1,7 +1,7 @@ name: Mmc LOLBAS Execution Process Spawn id: f6601940-4c74-11ec-b9b7-3e22fbd008af -version: 8 -date: '2025-05-02' +version: 9 +date: '2026-02-03' author: Mauricio Velazco, Splunk status: production type: TTP @@ -18,10 +18,9 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: - '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=mmc.exe) - (Processes.process_name IN ("Regsvcs.exe", "Ftp.exe", "OfflineScannerShell.exe", +search: | + | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where (Processes.parent_process_name=mmc.exe) (Processes.process_name IN ("Regsvcs.exe", "Ftp.exe", "OfflineScannerShell.exe", "Rasautou.exe", "Schtasks.exe", "Xwizard.exe", "Dllhost.exe", "Pnputil.exe", "Atbroker.exe", "Pcwrun.exe", "Ttdinject.exe","Mshta.exe", "Bitsadmin.exe", "Certoc.exe", "Ieexec.exe", "Microsoft.Workflow.Compiler.exe", "Runscripthelper.exe", "Forfiles.exe", "Msbuild.exe", @@ -31,14 +30,17 @@ search: "Mavinject.exe", "Regasm.exe", "Gpscript.exe", "Rundll32.exe", "Regsvr32.exe", "Msiexec.exe", "Wuauclt.exe", "Presentationhost.exe", "Wmic.exe", "Runonce.exe", "Syncappvpublishingserver.exe", "Verclsid.exe", "Infdefaultinstall.exe", "Explorer.exe", "Installutil.exe", "Netsh.exe", - "Wab.exe", "Dnscmd.exe", "At.exe", "Pcalua.exe", "Msconfig.exe")) by Processes.action - Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec + "Wab.exe", "Dnscmd.exe", "At.exe", "Pcalua.exe", "Msconfig.exe")) + + by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `mmc_lolbas_execution_process_spawn_filter`' + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `mmc_lolbas_execution_process_spawn_filter` how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related @@ -83,6 +85,7 @@ tags: - Active Directory Lateral Movement - Living Off The Land - Water Gamayun + - XML Runner asset_type: Endpoint mitre_attack_id: - T1021.003 diff --git a/detections/endpoint/windows_execution_of_microsoft_management_console_file.yml b/detections/endpoint/windows_execution_of_microsoft_management_console_file.yml new file mode 100644 index 0000000000..6a99cc6c05 --- /dev/null +++ b/detections/endpoint/windows_execution_of_microsoft_management_console_file.yml @@ -0,0 +1,79 @@ +name: Windows Execution of Microsoft Management Console File +id: ac30858b-7c25-4f0a-a7fa-bef036e49dc3 +version: 1 +date: '2026-02-03' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: The following analytic detects when a Microsoft Management Console (MMC) process executes an .msc file on a Windows system. While .msc files are legitimate components used for system administration, unexpected execution of these files by non-administrative processes or in unusual contexts can indicate malicious activity, such as living-off-the-land attacks, persistence mechanisms, or automated administrative abuse. This detection monitors process creation events, command-line arguments, and parent process relationships to help distinguish normal administrative usage from potential threats. Alerts should be investigated in the context of the process initiating the .msc file, the target system, and any subsequent network or system activity, as routine administrative tasks may also trigger this behavior. +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: | + | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes + where (Processes.process_name=mmc.exe) Processes.process = "*.msc*" + by Processes.action + Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec + Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name + Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid + Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name + Processes.process_path Processes.user Processes.user_id Processes.vendor_product + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_execution_of_microsoft_management_console_file_filter` +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: A possible false positive (FP) for the execution of .msc files is legitimate administrative activity, since .msc files are standard Microsoft Management Console snap-ins used for system administration. +references: +- https://www.securonix.com/blog/analyzing-fluxconsole-using-tax-themed-lures-threat-actors-exploit-windows-management-console-to-deliver-backdoor-payloads/ +- https://research.checkpoint.com/2019/microsoft-management-console-mmc-vulnerabilities/ +drilldown_searches: +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A Microsoft Management Console process [ $process_name$ ] launched an .msc file [ $process$ ] on the target system [ $dest$ ]. + risk_objects: + - field: dest + type: system + score: 20 + threat_objects: + - field: parent_process_name + type: parent_process_name +tags: + analytic_story: + - XML Runner + asset_type: Endpoint + mitre_attack_id: + - T1218.014 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.014/msc_execution/loaded_msc_mmc.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_mmc_loads_script_dlls.yml b/detections/endpoint/windows_mmc_loads_script_dlls.yml new file mode 100644 index 0000000000..78356a080e --- /dev/null +++ b/detections/endpoint/windows_mmc_loads_script_dlls.yml @@ -0,0 +1,67 @@ +name: Windows MMC Loads Script DLLs +id: 785bbfb5-d404-42d1-ab9d-45c37a2c75cd +version: 1 +date: '2026-02-03' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: The following analytic identifies when a Windows process loads scripting libraries like jscript.dll or vbscript.dll to execute script code on a target system. While these DLLs are legitimate parts of the operating system, their use by unexpected processes or in unusual contexts can indicate malicious activity, such as script-based malware, living-off-the-land techniques, or automated attacks. This detection monitors which processes load these libraries, along with their command-line arguments and parent processes, to help distinguish normal administrative behavior from potential threats. Alerts should be investigated with attention to the process context and any subsequent network or system activity, as legitimate tools like MMC snap-ins may also trigger this behavior under routine administrative tasks. +data_source: +- Sysmon EventID 7 +search: '`sysmon` EventCode=7 process_name = mmc.exe ImageLoaded IN ("*\\jscript.dll", "*\\vbscript.dll") + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime + by Image ImageLoaded dest loaded_file loaded_file_path original_file_name + process_exec process_guid process_hash process_id process_name process_path service_dll_signature_exists + service_dll_signature_verified signature signature_id user_id vendor_product + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_mmc_loads_script_dlls_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name and ImageLoaded (Like sysmon EventCode 7) from your endpoints. + If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. + Also be sure to include those monitored dll to your own sysmon config. +known_false_positives: built in Windows tools such as Group Policy Management, Task Scheduler, Event Viewer, or custom MMC snap-ins may load vbscript.dll or jscript.dll to support scripted extensions, automation, or legacy management components.filtering is needed. +references: +- https://www.securonix.com/blog/analyzing-fluxconsole-using-tax-themed-lures-threat-actors-exploit-windows-management-console-to-deliver-backdoor-payloads/ +- https://research.checkpoint.com/2019/microsoft-management-console-mmc-vulnerabilities/ +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: Process [ $process_name$ ] loaded [ $ImageLoaded$ ] (jscript.dll or vbscript.dll) to execute script code on [ $dest$ ]. + risk_objects: + - field: dest + type: system + score: 20 + threat_objects: + - field: process_name + type: process_name +tags: + analytic_story: + - XML Runner + asset_type: Endpoint + mitre_attack_id: + - T1620 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1620/mmc_script_modules/loaded_module_mmc.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/stories/xml_runner.yml b/stories/xml_runner.yml new file mode 100644 index 0000000000..b76f41ffd5 --- /dev/null +++ b/stories/xml_runner.yml @@ -0,0 +1,19 @@ +name: XML Runner +id: 2c459fd3-c013-40ee-ae2a-e7aae40b738d +version: 1 +date: '2026-02-03' +author: Teoderick Contreras, Splunk +status: production +description: This detection identifies activity associated with an XML runner loader that leverages Microsoft Management Console (MSC) files to execute a malicious payload on a targeted host. The loader abuses legitimate Windows utilities to parse XML content and invoke embedded commands, allowing execution without dropping a traditional executable. This technique helps the threat evade signature-based defenses by blending into normal administrative behavior. Detection focuses on anomalous MSC file execution, suspicious XML structures, and unusual parent-child process relationships indicative of living-off-the-land abuse. +narrative: This malware family is characterized by its use of trusted Windows components to deliver and execute payloads while minimizing its forensic footprint. By relying on XML-based loaders and MSC files, the threat avoids common executable-based detection mechanisms and blends into routine system activity. The family is often observed in targeted intrusions, favoring stealth and persistence over noisy propagation. Its modular design allows operators to adapt payloads per victim, making it a flexible tool for reconnaissance, lateral movement, or follow-on malware deployment. +references: +- https://www.securonix.com/blog/analyzing-fluxconsole-using-tax-themed-lures-threat-actors-exploit-windows-management-console-to-deliver-backdoor-payloads/ +- https://research.checkpoint.com/2019/microsoft-management-console-mmc-vulnerabilities/ +tags: + category: + - Malware + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection From 2a36177bfc256dd9e763a02c91b3bd7083c106ac Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Tue, 10 Feb 2026 11:38:25 +0100 Subject: [PATCH 02/10] xml_runner --- .../windows_execution_of_microsoft_management_console_file.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_execution_of_microsoft_management_console_file.yml b/detections/endpoint/windows_execution_of_microsoft_management_console_file.yml index 6a99cc6c05..7a73890095 100644 --- a/detections/endpoint/windows_execution_of_microsoft_management_console_file.yml +++ b/detections/endpoint/windows_execution_of_microsoft_management_console_file.yml @@ -13,7 +13,7 @@ data_source: search: | | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes - where (Processes.process_name=mmc.exe) Processes.process = "*.msc*" + where (Processes.process_name=mmc.exe) Processes.process = "*.msc*" Processes.process != "*:\Windows\System32*" by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name From 6c12dafbc8b906691710de75e2012304fec32fc7 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Tue, 10 Feb 2026 13:00:58 +0100 Subject: [PATCH 03/10] xml_runner --- ...n_of_microsoft_management_console_file.yml | 22 ++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/detections/endpoint/windows_execution_of_microsoft_management_console_file.yml b/detections/endpoint/windows_execution_of_microsoft_management_console_file.yml index 7a73890095..790d156bed 100644 --- a/detections/endpoint/windows_execution_of_microsoft_management_console_file.yml +++ b/detections/endpoint/windows_execution_of_microsoft_management_console_file.yml @@ -13,7 +13,27 @@ data_source: search: | | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes - where (Processes.process_name=mmc.exe) Processes.process = "*.msc*" Processes.process != "*:\Windows\System32*" + where (Processes.process_name=mmc.exe) + AND Processes.process = "*.msc*" + AND Processes.process IN ( + "*\\PerfLogs\\*", + "*\\Users\\Administrator\\Music\\*", + "*\\Users\\Default\\*", + "*\\Users\\Public\\*", + "*\\Windows\\debug\\*", + "*\\Windows\\fonts\\*", + "*\\Windows\\Media\\*", + "*\\Windows\\repair\\*", + "*\\Windows\\servicing\\*", + "*Recycle.bin*", + "*\\Download*", + "*\\temp\\*", + "*\\programdata\\*" + "*\\Users\\Administrator\\Music\\*", + "*:\\Windows\\Prefetch\\*", + "*:\\Windows\\Cursors\\*", + "*:\\Windows\\INF\\*" + ) by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name From dfd80ae6d1ba1c64ceee87d8800a090867e8383b Mon Sep 17 00:00:00 2001 From: Br3akp0int <26181693+tccontre@users.noreply.github.com> Date: Tue, 17 Feb 2026 13:20:02 +0100 Subject: [PATCH 04/10] Update detections/endpoint/windows_execution_of_microsoft_management_console_file.yml Co-authored-by: Nasreddine Bencherchali --- ...windows_execution_of_microsoft_management_console_file.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/detections/endpoint/windows_execution_of_microsoft_management_console_file.yml b/detections/endpoint/windows_execution_of_microsoft_management_console_file.yml index 790d156bed..d5e6ecd762 100644 --- a/detections/endpoint/windows_execution_of_microsoft_management_console_file.yml +++ b/detections/endpoint/windows_execution_of_microsoft_management_console_file.yml @@ -80,6 +80,10 @@ rba: threat_objects: - field: parent_process_name type: parent_process_name + - field: process_name + type: process_name + - field: process + type: process tags: analytic_story: - XML Runner From 192a7270f63107336bb42d94970c1ae631fbe964 Mon Sep 17 00:00:00 2001 From: Br3akp0int <26181693+tccontre@users.noreply.github.com> Date: Tue, 17 Feb 2026 13:20:11 +0100 Subject: [PATCH 05/10] Update detections/endpoint/windows_mmc_loads_script_dlls.yml Co-authored-by: Nasreddine Bencherchali --- detections/endpoint/windows_mmc_loads_script_dlls.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_mmc_loads_script_dlls.yml b/detections/endpoint/windows_mmc_loads_script_dlls.yml index 78356a080e..676525b05c 100644 --- a/detections/endpoint/windows_mmc_loads_script_dlls.yml +++ b/detections/endpoint/windows_mmc_loads_script_dlls.yml @@ -21,7 +21,7 @@ how_to_implement: To successfully implement this search, you need to be ingestin logs with the process name and ImageLoaded (Like sysmon EventCode 7) from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Also be sure to include those monitored dll to your own sysmon config. -known_false_positives: built in Windows tools such as Group Policy Management, Task Scheduler, Event Viewer, or custom MMC snap-ins may load vbscript.dll or jscript.dll to support scripted extensions, automation, or legacy management components.filtering is needed. +known_false_positives: built in Windows tools such as Group Policy Management, Task Scheduler, Event Viewer, or custom MMC snap-ins may load vbscript.dll or jscript.dll to support scripted extensions, automation, or legacy management components. Filter as needed. references: - https://www.securonix.com/blog/analyzing-fluxconsole-using-tax-themed-lures-threat-actors-exploit-windows-management-console-to-deliver-backdoor-payloads/ - https://research.checkpoint.com/2019/microsoft-management-console-mmc-vulnerabilities/ From b9d8b0cf469ed884ceafc037072f49cc7eecaf88 Mon Sep 17 00:00:00 2001 From: Br3akp0int <26181693+tccontre@users.noreply.github.com> Date: Tue, 17 Feb 2026 13:20:31 +0100 Subject: [PATCH 06/10] Update detections/endpoint/windows_mmc_loads_script_dlls.yml Co-authored-by: Nasreddine Bencherchali --- detections/endpoint/windows_mmc_loads_script_dlls.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_mmc_loads_script_dlls.yml b/detections/endpoint/windows_mmc_loads_script_dlls.yml index 676525b05c..4777862663 100644 --- a/detections/endpoint/windows_mmc_loads_script_dlls.yml +++ b/detections/endpoint/windows_mmc_loads_script_dlls.yml @@ -8,7 +8,7 @@ type: Anomaly description: The following analytic identifies when a Windows process loads scripting libraries like jscript.dll or vbscript.dll to execute script code on a target system. While these DLLs are legitimate parts of the operating system, their use by unexpected processes or in unusual contexts can indicate malicious activity, such as script-based malware, living-off-the-land techniques, or automated attacks. This detection monitors which processes load these libraries, along with their command-line arguments and parent processes, to help distinguish normal administrative behavior from potential threats. Alerts should be investigated with attention to the process context and any subsequent network or system activity, as legitimate tools like MMC snap-ins may also trigger this behavior under routine administrative tasks. data_source: - Sysmon EventID 7 -search: '`sysmon` EventCode=7 process_name = mmc.exe ImageLoaded IN ("*\\jscript.dll", "*\\vbscript.dll") +search: '`sysmon` EventCode=7 process_name = mmc.exe ImageLoaded IN ("*\\jscript.dll", "*\\vbscript.dll", "*\\jscript9.dll") | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded dest loaded_file loaded_file_path original_file_name From 942221e9401b7eb8fb431f960c6161d5eb656b06 Mon Sep 17 00:00:00 2001 From: Br3akp0int <26181693+tccontre@users.noreply.github.com> Date: Tue, 17 Feb 2026 13:21:05 +0100 Subject: [PATCH 07/10] Update detections/endpoint/windows_mmc_loads_script_dlls.yml Co-authored-by: Nasreddine Bencherchali --- detections/endpoint/windows_mmc_loads_script_dlls.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_mmc_loads_script_dlls.yml b/detections/endpoint/windows_mmc_loads_script_dlls.yml index 4777862663..c2896bdde9 100644 --- a/detections/endpoint/windows_mmc_loads_script_dlls.yml +++ b/detections/endpoint/windows_mmc_loads_script_dlls.yml @@ -40,7 +40,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: Process [ $process_name$ ] loaded [ $ImageLoaded$ ] (jscript.dll or vbscript.dll) to execute script code on [ $dest$ ]. + message: Process [ $process_name$ ] loaded [ $ImageLoaded$ ] on [ $dest$ ]. risk_objects: - field: dest type: system From c30c48e98caa3b2e45dd6bb497023b50a7d824c1 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Tue, 17 Feb 2026 13:35:20 +0100 Subject: [PATCH 08/10] xml_runner --- ..._or_script_creation_in_suspicious_path.yml | 2 +- ...tables_or_script_creation_in_temp_path.yml | 2 +- .../mmc_lolbas_execution_process_spawn.yml | 2 +- ...microsoft_msc_file_in_suspicious_path.yml} | 28 ++++++++++--------- .../windows_mmc_loads_script_dlls.yml | 2 +- .../{xml_runner.yml => xml_runner_loader.yml} | 2 +- 6 files changed, 20 insertions(+), 18 deletions(-) rename detections/endpoint/{windows_execution_of_microsoft_management_console_file.yml => windows_execution_of_microsoft_msc_file_in_suspicious_path.yml} (78%) rename stories/{xml_runner.yml => xml_runner_loader.yml} (98%) diff --git a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml index 6d1b3b1983..da8380bffa 100644 --- a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml +++ b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml @@ -151,7 +151,7 @@ tags: - Lokibot - Castle RAT - SesameOp - - XML Runner + - XML Runner Loader asset_type: Endpoint mitre_attack_id: - T1036 diff --git a/detections/endpoint/executables_or_script_creation_in_temp_path.yml b/detections/endpoint/executables_or_script_creation_in_temp_path.yml index 4efc4e1c7c..a6751571ef 100644 --- a/detections/endpoint/executables_or_script_creation_in_temp_path.yml +++ b/detections/endpoint/executables_or_script_creation_in_temp_path.yml @@ -137,7 +137,7 @@ tags: - Lokibot - SesameOp - PromptFlux - - XML Runner + - XML Runner Loader asset_type: Endpoint mitre_attack_id: - T1036 diff --git a/detections/endpoint/mmc_lolbas_execution_process_spawn.yml b/detections/endpoint/mmc_lolbas_execution_process_spawn.yml index d79e3a4370..9bf7d7f7c1 100644 --- a/detections/endpoint/mmc_lolbas_execution_process_spawn.yml +++ b/detections/endpoint/mmc_lolbas_execution_process_spawn.yml @@ -85,7 +85,7 @@ tags: - Active Directory Lateral Movement - Living Off The Land - Water Gamayun - - XML Runner + - XML Runner Loader asset_type: Endpoint mitre_attack_id: - T1021.003 diff --git a/detections/endpoint/windows_execution_of_microsoft_management_console_file.yml b/detections/endpoint/windows_execution_of_microsoft_msc_file_in_suspicious_path.yml similarity index 78% rename from detections/endpoint/windows_execution_of_microsoft_management_console_file.yml rename to detections/endpoint/windows_execution_of_microsoft_msc_file_in_suspicious_path.yml index d5e6ecd762..1b27c2de79 100644 --- a/detections/endpoint/windows_execution_of_microsoft_management_console_file.yml +++ b/detections/endpoint/windows_execution_of_microsoft_msc_file_in_suspicious_path.yml @@ -1,11 +1,11 @@ -name: Windows Execution of Microsoft Management Console File +name: Windows Execution of Microsoft MSC File In Suspicious Path id: ac30858b-7c25-4f0a-a7fa-bef036e49dc3 version: 1 date: '2026-02-03' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects when a Microsoft Management Console (MMC) process executes an .msc file on a Windows system. While .msc files are legitimate components used for system administration, unexpected execution of these files by non-administrative processes or in unusual contexts can indicate malicious activity, such as living-off-the-land attacks, persistence mechanisms, or automated administrative abuse. This detection monitors process creation events, command-line arguments, and parent process relationships to help distinguish normal administrative usage from potential threats. Alerts should be investigated in the context of the process initiating the .msc file, the target system, and any subsequent network or system activity, as routine administrative tasks may also trigger this behavior. +description: The following analytic detects when a Microsoft Management Console (MMC) process executes an .msc file in a suspicious path on a Windows system. While .msc files are legitimate components used for system administration, unexpected execution of these files by non-administrative processes or in unusual contexts can indicate malicious activity, such as living-off-the-land attacks, persistence mechanisms, or automated administrative abuse. This detection monitors process creation events, command-line arguments, and parent process relationships to help distinguish normal administrative usage from potential threats. Alerts should be investigated in the context of the process initiating the .msc file, the target system, and any subsequent network or system activity, as routine administrative tasks may also trigger this behavior. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 @@ -17,23 +17,25 @@ search: | AND Processes.process = "*.msc*" AND Processes.process IN ( "*\\PerfLogs\\*", - "*\\Users\\Administrator\\Music\\*", - "*\\Users\\Default\\*", - "*\\Users\\Public\\*", - "*\\Windows\\debug\\*", - "*\\Windows\\fonts\\*", - "*\\Windows\\Media\\*", - "*\\Windows\\repair\\*", - "*\\Windows\\servicing\\*", + "*\\programdata\\*" "*Recycle.bin*", "*\\Download*", "*\\temp\\*", - "*\\programdata\\*" + "*\\Users\\Administrator\\Music\\*", + "*\\Users\\Default\\*", + "*\\Users\\Public\\*", "*\\Users\\Administrator\\Music\\*", "*:\\Windows\\Prefetch\\*", "*:\\Windows\\Cursors\\*", "*:\\Windows\\INF\\*" + "*:\\Windows\\debug\\*", + "*:\\Windows\\fonts\\*", + "*:\\Windows\\Media\\*", + "*:\\Windows\\repair\\*", + "*:\\Windows\\servicing\\*", ) + AND NOT (Processes.process IN ("*C:\\Windows\\System32\\eventvwr.msc*", "*C:\\Windows\\System32\\certmgr.msc*")) + by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name @@ -43,7 +45,7 @@ search: | | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `windows_execution_of_microsoft_management_console_file_filter` + | `windows_execution_of_microsoft_msc_file_in_suspicious_path_filter` how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -86,7 +88,7 @@ rba: type: process tags: analytic_story: - - XML Runner + - XML Runner Loader asset_type: Endpoint mitre_attack_id: - T1218.014 diff --git a/detections/endpoint/windows_mmc_loads_script_dlls.yml b/detections/endpoint/windows_mmc_loads_script_dlls.yml index c2896bdde9..a6225b8f2d 100644 --- a/detections/endpoint/windows_mmc_loads_script_dlls.yml +++ b/detections/endpoint/windows_mmc_loads_script_dlls.yml @@ -50,7 +50,7 @@ rba: type: process_name tags: analytic_story: - - XML Runner + - XML Runner Loader asset_type: Endpoint mitre_attack_id: - T1620 diff --git a/stories/xml_runner.yml b/stories/xml_runner_loader.yml similarity index 98% rename from stories/xml_runner.yml rename to stories/xml_runner_loader.yml index b76f41ffd5..3f7821e587 100644 --- a/stories/xml_runner.yml +++ b/stories/xml_runner_loader.yml @@ -1,4 +1,4 @@ -name: XML Runner +name: XML Runner Loader id: 2c459fd3-c013-40ee-ae2a-e7aae40b738d version: 1 date: '2026-02-03' From 4596dbfcb77a2e5c0327c715d7e4d6922bdce410 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Tue, 17 Feb 2026 20:05:05 +0100 Subject: [PATCH 09/10] Apply suggestions from code review --- detections/endpoint/windows_mmc_loads_script_dlls.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/endpoint/windows_mmc_loads_script_dlls.yml b/detections/endpoint/windows_mmc_loads_script_dlls.yml index a6225b8f2d..bc205fc136 100644 --- a/detections/endpoint/windows_mmc_loads_script_dlls.yml +++ b/detections/endpoint/windows_mmc_loads_script_dlls.yml @@ -1,4 +1,4 @@ -name: Windows MMC Loads Script DLLs +name: Windows MMC Loaded Script Engine DLL id: 785bbfb5-d404-42d1-ab9d-45c37a2c75cd version: 1 date: '2026-02-03' @@ -16,7 +16,7 @@ search: '`sysmon` EventCode=7 process_name = mmc.exe ImageLoaded IN ("*\\jscrip service_dll_signature_verified signature signature_id user_id vendor_product | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `windows_mmc_loads_script_dlls_filter`' + | `windows_mmc_loaded_script_engine_dll_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and ImageLoaded (Like sysmon EventCode 7) from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. From d2f2d5ca8b5a5e7613bbce4a085d2c1238c8b530 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Tue, 17 Feb 2026 20:05:36 +0100 Subject: [PATCH 10/10] Rename windows_mmc_loads_script_dlls.yml to windows_mmc_loaded_script_engine_dll.yml --- ...s_script_dlls.yml => windows_mmc_loaded_script_engine_dll.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename detections/endpoint/{windows_mmc_loads_script_dlls.yml => windows_mmc_loaded_script_engine_dll.yml} (100%) diff --git a/detections/endpoint/windows_mmc_loads_script_dlls.yml b/detections/endpoint/windows_mmc_loaded_script_engine_dll.yml similarity index 100% rename from detections/endpoint/windows_mmc_loads_script_dlls.yml rename to detections/endpoint/windows_mmc_loaded_script_engine_dll.yml