Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0622: Analytic 0622

Abuse of mmc.exe to execute non-Microsoft or user-staged .msc files and malicious COM CLSIDs. Behavioral chain: (1) suspicious mmc.exe invocation with /a or -Embedding and non-standard .msc path → (2) COM activation of non-baseline CLSIDs by mmc.exe → (3) mmc.exe loads non-baseline DLLs (user-writable/UNC/unsigned) → (4) optional network/DNS activity from mmc.exe.

EnterpriseAN0622AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because Microsoft Management Console activity can look administrative, yet the described behavior focuses on mmc.exe being used with non-standard .msc files, unusual COM CLSIDs, non-baseline DLL loads, and possible network or DNS activity. For security leaders, the decision value is whether Windows monitoring can distinguish normal console administration from user-staged or non-Microsoft components that may create investigation risk and incident ambiguity.

Executive priority

Prioritize this as a Windows detection-quality and incident-readiness issue rather than a standalone proof of compromise. Leaders should ask whether SOC tooling can baseline legitimate mmc.exe usage, whether endpoint telemetry captures process, COM, module-load, file-path, signature, UNC, and DNS/network evidence, and whether exceptions for administrative tools are governed. This supports audit evidence around monitoring coverage and helps reduce blind spots where trusted Windows binaries are treated as automatically benign.

Technical view

Validate monitoring for the behavioral chain described by MITRE: suspicious mmc.exe invocation with /a or -Embedding and a non-standard .msc path; COM activation of non-baseline CLSIDs by mmc.exe; loading of non-baseline DLLs from user-writable paths, UNC paths, or unsigned locations; and optional network or DNS activity from mmc.exe. Because no ATT&CK detection logic is supplied, detection teams should build environment-specific baselines for legitimate mmc.exe administrative usage before alerting on deviations.

Likely telemetry

  • Windows process creation events for mmc.exe, including command line and parent process
  • File path and file creation/access evidence for .msc files, especially non-standard or user-staged locations
  • COM activation or CLSID telemetry where available
  • Module/DLL load telemetry for mmc.exe, including path and signing metadata
  • Network connection and DNS query telemetry attributed to mmc.exe

Detection direction

  • Baseline normal mmc.exe usage by administrators, management tools, and standard console locations before treating deviations as suspicious.
  • Correlate multiple behaviors rather than alerting only on mmc.exe execution, since mmc.exe is a legitimate Windows administrative utility.
  • Prioritize higher-fidelity combinations: non-standard .msc path plus unusual COM CLSID, non-baseline DLL load, unsigned or user-writable DLL path, UNC loading, or network/DNS activity from mmc.exe.
  • Tune for false positives from legitimate custom management consoles, internal administration workflows, and approved snap-ins.
  • Validate that telemetry preserves command-line arguments, module-load details, signature status, and network attribution to the process; without these, coverage may be incomplete.

Mitigation priorities

  • Establish an allowlist or baseline of approved .msc locations, administrative consoles, snap-ins, and expected mmc.exe behaviors.
  • Restrict write access to locations used for administrative tooling and review exposure to user-writable or UNC-based execution paths.
  • Apply least-privilege administration so routine users cannot stage or run unapproved management console components where preventable.
  • Review controls for unsigned or untrusted DLL loading in administrative workflows, using existing endpoint and application-control capabilities where appropriate.
  • Document approved exceptions and monitoring evidence for compliance and incident response readiness.
Analyst notes and limits

This object is a detection analytic for Windows behavior involving mmc.exe, .msc files, COM CLSIDs, DLL loads, and optional network/DNS activity. No relationship context, ATT&CK tactics, or official detection logic were supplied, so the take emphasizes validation, baselining, and telemetry requirements rather than asserting a specific rule or coverage outcome.

The supplied ATT&CK fields do not include official detection content, related techniques, mitigations, groups, software, campaigns, or evidence of active exploitation. Local baselines are required to distinguish legitimate administrative use from suspicious behavior.

Official MITRE ATT&CK definition

Analytic 0622

Abuse of mmc.exe to execute non-Microsoft or user-staged .msc files and malicious COM CLSIDs. Behavioral chain: (1) suspicious mmc.exe invocation with /a or -Embedding and non-standard .msc path → (2) COM activation of non-baseline CLSIDs by mmc.exe → (3) mmc.exe loads non-baseline DLLs (user-writable/UNC/unsigned) → (4) optional network/DNS activity from mmc.exe.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
3c00028712d5e2d3...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 3c00028712d5…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0622
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use