splunk · nasbench · Feb 17, 2026 · Feb 6, 2026 · Feb 10, 2026 · Feb 10, 2026
@@ -1,7 +1,7 @@
 name: Executables Or Script Creation In Suspicious Path
 id: a7e3f0f0-ae42-11eb-b245-acde48001122
-version: 22
-date: '2026-01-20'
+version: 23
+date: '2026-02-03'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -151,6 +151,7 @@ tags:
     - Lokibot
     - Castle RAT
     - SesameOp
+    - XML Runner Loader
   asset_type: Endpoint
   mitre_attack_id:
     - T1036

@@ -1,7 +1,7 @@
 name: Executables Or Script Creation In Temp Path
 id: e0422b71-2c05-4f32-8754-01fb415f49c9
-version: 18
-date: '2026-01-20'
+version: 19
+date: '2026-02-03'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -137,6 +137,7 @@ tags:
     - Lokibot
     - SesameOp
     - PromptFlux
+    - XML Runner Loader
   asset_type: Endpoint
   mitre_attack_id:
     - T1036

@@ -1,7 +1,7 @@
 name: Mmc LOLBAS Execution Process Spawn
 id: f6601940-4c74-11ec-b9b7-3e22fbd008af
-version: 8
-date: '2025-05-02'
+version: 9
+date: '2026-02-03'
 author: Mauricio Velazco, Splunk
 status: production
 type: TTP
@@ -18,10 +18,9 @@ data_source:
   - Sysmon EventID 1
   - Windows Event Log Security 4688
   - CrowdStrike ProcessRollup2
-search:
-  '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
-  as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=mmc.exe)
-  (Processes.process_name IN ("Regsvcs.exe", "Ftp.exe", "OfflineScannerShell.exe",
+search: |
+  | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes 
+  where (Processes.parent_process_name=mmc.exe) (Processes.process_name IN ("Regsvcs.exe", "Ftp.exe", "OfflineScannerShell.exe",
   "Rasautou.exe", "Schtasks.exe", "Xwizard.exe", "Dllhost.exe", "Pnputil.exe", "Atbroker.exe",
   "Pcwrun.exe", "Ttdinject.exe","Mshta.exe", "Bitsadmin.exe", "Certoc.exe", "Ieexec.exe",
   "Microsoft.Workflow.Compiler.exe", "Runscripthelper.exe", "Forfiles.exe", "Msbuild.exe",
@@ -31,14 +30,17 @@ search:
   "Mavinject.exe", "Regasm.exe", "Gpscript.exe", "Rundll32.exe", "Regsvr32.exe", "Msiexec.exe",
   "Wuauclt.exe", "Presentationhost.exe", "Wmic.exe", "Runonce.exe", "Syncappvpublishingserver.exe",
   "Verclsid.exe", "Infdefaultinstall.exe", "Explorer.exe", "Installutil.exe", "Netsh.exe",
-  "Wab.exe", "Dnscmd.exe", "At.exe", "Pcalua.exe", "Msconfig.exe")) by Processes.action
-  Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec
+  "Wab.exe", "Dnscmd.exe", "At.exe", "Pcalua.exe", "Msconfig.exe")) 
+
+  by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec
   Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name
   Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid
   Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name
   Processes.process_path Processes.user Processes.user_id Processes.vendor_product
-  | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
-  | `mmc_lolbas_execution_process_spawn_filter`'
+  | `drop_dm_object_name(Processes)` 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `mmc_lolbas_execution_process_spawn_filter`
 how_to_implement:
   The detection is based on data that originates from Endpoint Detection
   and Response (EDR) agents. These agents are designed to provide security-related
@@ -83,6 +85,7 @@ tags:
     - Active Directory Lateral Movement
     - Living Off The Land
     - Water Gamayun
+    - XML Runner Loader
   asset_type: Endpoint
   mitre_attack_id:
     - T1021.003

@@ -0,0 +1,105 @@
+name: Windows Execution of Microsoft MSC File In Suspicious Path
+id: ac30858b-7c25-4f0a-a7fa-bef036e49dc3
+version: 1
+date: '2026-02-03'
+author: Teoderick Contreras, Splunk
+status: production
+type: Anomaly
+description: The following analytic detects when a Microsoft Management Console (MMC) process executes an .msc file in a suspicious path on a Windows system. While .msc files are legitimate components used for system administration, unexpected execution of these files by non-administrative processes or in unusual contexts can indicate malicious activity, such as living-off-the-land attacks, persistence mechanisms, or automated administrative abuse. This detection monitors process creation events, command-line arguments, and parent process relationships to help distinguish normal administrative usage from potential threats. Alerts should be investigated in the context of the process initiating the .msc file, the target system, and any subsequent network or system activity, as routine administrative tasks may also trigger this behavior.
+data_source:
+- Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
+search: |  
+  | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
+  as lastTime from datamodel=Endpoint.Processes 
+  where (Processes.process_name=mmc.exe)  
+  AND Processes.process = "*.msc*" 
+  AND Processes.process IN (
+    "*\\PerfLogs\\*",
+    "*\\programdata\\*"
+    "*Recycle.bin*",
+    "*\\Download*",
+    "*\\temp\\*",
+    "*\\Users\\Administrator\\Music\\*",
+    "*\\Users\\Default\\*",
+    "*\\Users\\Public\\*",
+    "*\\Users\\Administrator\\Music\\*",
+    "*:\\Windows\\Prefetch\\*", 
+    "*:\\Windows\\Cursors\\*", 
+    "*:\\Windows\\INF\\*"
+    "*:\\Windows\\debug\\*",
+    "*:\\Windows\\fonts\\*",
+    "*:\\Windows\\Media\\*",
+    "*:\\Windows\\repair\\*",
+    "*:\\Windows\\servicing\\*",
+    )
+  AND NOT (Processes.process IN ("*C:\\Windows\\System32\\eventvwr.msc*", "*C:\\Windows\\System32\\certmgr.msc*"))
+
+  by Processes.action
+  Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec
+  Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name
+  Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid
+  Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name
+  Processes.process_path Processes.user Processes.user_id Processes.vendor_product
+  | `drop_dm_object_name(Processes)` 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `windows_execution_of_microsoft_msc_file_in_suspicious_path_filter`
+how_to_implement: The detection is based on data that originates from Endpoint Detection
+  and Response (EDR) agents. These agents are designed to provide security-related
+  telemetry from the endpoints where the agent is installed. To implement this search,
+  you must ingest logs that contain the process GUID, process name, and parent process.
+  Additionally, you must ingest complete command-line executions. These logs must
+  be processed using the appropriate Splunk Technology Add-ons that are specific to
+  the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
+  data model. Use the Splunk Common Information Model (CIM) to normalize the field
+  names and speed up the data modeling process.
+known_false_positives: A possible false positive (FP) for the execution of .msc files is legitimate administrative activity, since .msc files are standard Microsoft Management Console snap-ins used for system administration.
+references:
+- https://www.securonix.com/blog/analyzing-fluxconsole-using-tax-themed-lures-threat-actors-exploit-windows-management-console-to-deliver-backdoor-payloads/
+- https://research.checkpoint.com/2019/microsoft-management-console-mmc-vulnerabilities/
+drilldown_searches:
+- name: View the detection results for - "$user$" and "$dest$"
+  search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$" and "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$",
+    "$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time)
+    as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk
+    Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
+    as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
+    by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: A Microsoft Management Console process [ $process_name$ ] launched an .msc file [ $process$ ] on the target system [ $dest$ ].
+  risk_objects:
+  - field: dest
+    type: system
+    score: 20
+  threat_objects:
+  - field: parent_process_name
+    type: parent_process_name
+  - field: process_name
+    type: process_name
+  - field: process
+    type: process
+tags:
+  analytic_story:
+  - XML Runner Loader
+  asset_type: Endpoint
+  mitre_attack_id:
+  - T1218.014
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.014/msc_execution/loaded_msc_mmc.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog
@@ -0,0 +1,67 @@
+name: Windows MMC Loaded Script Engine DLL
+id: 785bbfb5-d404-42d1-ab9d-45c37a2c75cd
+version: 1
+date: '2026-02-03'
+author: Teoderick Contreras, Splunk
+status: production
+type: Anomaly
+description: The following analytic identifies when a Windows process loads scripting libraries like jscript.dll or vbscript.dll to execute script code on a target system. While these DLLs are legitimate parts of the operating system, their use by unexpected processes or in unusual contexts can indicate malicious activity, such as script-based malware, living-off-the-land techniques, or automated attacks. This detection monitors which processes load these libraries, along with their command-line arguments and parent processes, to help distinguish normal administrative behavior from potential threats. Alerts should be investigated with attention to the process context and any subsequent network or system activity, as legitimate tools like MMC snap-ins may also trigger this behavior under routine administrative tasks.
+data_source:
+- Sysmon EventID 7
+search: '`sysmon` EventCode=7  process_name = mmc.exe ImageLoaded IN ("*\\jscript.dll", "*\\vbscript.dll", "*\\jscript9.dll")  
+  | fillnull 
+  | stats count min(_time) as firstTime max(_time) as lastTime 
+  by Image ImageLoaded dest loaded_file loaded_file_path original_file_name
+  process_exec process_guid process_hash process_id process_name process_path service_dll_signature_exists
+  service_dll_signature_verified signature signature_id user_id vendor_product 
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)`  
+  | `windows_mmc_loaded_script_engine_dll_filter`'
+how_to_implement: To successfully implement this search, you need to be ingesting
+  logs with the process name and ImageLoaded (Like sysmon EventCode 7) from your endpoints.
+  If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.
+  Also be sure to include those monitored dll to your own sysmon config.
+known_false_positives: built in Windows tools such as Group Policy Management, Task Scheduler, Event Viewer, or custom MMC snap-ins may load vbscript.dll or jscript.dll to support scripted extensions, automation, or legacy management components. Filter as needed.
+references:
+- https://www.securonix.com/blog/analyzing-fluxconsole-using-tax-themed-lures-threat-actors-exploit-windows-management-console-to-deliver-backdoor-payloads/
+- https://research.checkpoint.com/2019/microsoft-management-console-mmc-vulnerabilities/
+drilldown_searches:
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search  dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: Process [ $process_name$ ] loaded [ $ImageLoaded$ ] on [ $dest$ ].
+  risk_objects:
+  - field: dest
+    type: system
+    score: 20
+  threat_objects:
+  - field: process_name
+    type: process_name
+tags:
+  analytic_story:
+  - XML Runner Loader
+  asset_type: Endpoint
+  mitre_attack_id:
+  - T1620
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1620/mmc_script_modules/loaded_module_mmc.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog
@@ -0,0 +1,19 @@
+name: XML Runner Loader
+id: 2c459fd3-c013-40ee-ae2a-e7aae40b738d
+version: 1
+date: '2026-02-03'
+author: Teoderick Contreras, Splunk
+status: production
+description: This detection identifies activity associated with an XML runner loader that leverages Microsoft Management Console (MSC) files to execute a malicious payload on a targeted host. The loader abuses legitimate Windows utilities to parse XML content and invoke embedded commands, allowing execution without dropping a traditional executable. This technique helps the threat evade signature-based defenses by blending into normal administrative behavior. Detection focuses on anomalous MSC file execution, suspicious XML structures, and unusual parent-child process relationships indicative of living-off-the-land abuse.
+narrative: This malware family is characterized by its use of trusted Windows components to deliver and execute payloads while minimizing its forensic footprint. By relying on XML-based loaders and MSC files, the threat avoids common executable-based detection mechanisms and blends into routine system activity. The family is often observed in targeted intrusions, favoring stealth and persistence over noisy propagation. Its modular design allows operators to adapt payloads per victim, making it a flexible tool for reconnaissance, lateral movement, or follow-on malware deployment.
+references:
+- https://www.securonix.com/blog/analyzing-fluxconsole-using-tax-themed-lures-threat-actors-exploit-windows-management-console-to-deliver-backdoor-payloads/
+- https://research.checkpoint.com/2019/microsoft-management-console-mmc-vulnerabilities/
+tags:
+  category:
+  - Malware
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  usecase: Advanced Threat Detection