DET0222: Detecting MMC (.msc) Proxy Execution and Malicious COM Activation
DET0222 is a detection strategy for spotting abuse of Microsoft Management Console behavior: use of mmc.exe to run potentially malicious .msc console files...
Analyst context for executives and security teams
DET0222 is a detection strategy for spotting abuse of Microsoft Management Console behavior: use of mmc.exe to run potentially malicious .msc console files and suspicious COM activation. The business value is that this behavior can hide inside trusted Windows administration tooling, so leaders should treat it as a validation point for whether endpoint monitoring can distinguish legitimate administration from proxy execution activity.
Executive priority
Prioritize this as a Windows endpoint and SOC readiness question rather than a standalone risk claim. Ask whether the organization can prove visibility into mmc.exe execution, .msc file usage, and related COM activity, especially on administrator workstations and servers. This matters for incident triage, audit evidence around monitoring of trusted system binaries, and reducing blind spots where legitimate administrative tools can be misused for stealthy execution.
Technical view
The supplied ATT&CK relationship says this detection strategy detects T1218.014, MMC, an enterprise Windows technique associated with stealth. SOC and detection teams should validate monitoring around mmc.exe launches, command-line arguments, parent/child process context, .msc file paths, and COM activation behavior. Because the detection strategy object has no official detection text and no platform field of its own, implementation should be anchored to the related Windows MMC technique and tested against local administrative baselines.
Likely telemetry
- Endpoint process creation events for mmc.exe
- Command-line and parent/child process context
- File telemetry for .msc files, including location and execution/open activity
- COM activation or COM-related endpoint telemetry where available
- User, host, and administrative session context for Windows systems
Detection direction
- Baseline legitimate MMC usage by administrators and management tools before alerting broadly.
- Review mmc.exe executions that open .msc files from unusual user-writable, temporary, downloaded, or uncommon paths, if such path context is available.
- Correlate mmc.exe activity with unexpected parent processes, unusual users, or follow-on child process behavior.
- Validate whether COM activation telemetry is actually collected; many environments may not have sufficient visibility by default.
- Tune for known administrative consoles and remote management workflows to reduce false positives.
Mitigation priorities
- Ensure endpoint logging captures process creation, command-line detail, file path context, and relevant Windows host identifiers.
- Restrict unnecessary administrative privileges and review who can create, modify, or run management console files in sensitive environments.
- Apply application control or execution policy approaches where appropriate to limit untrusted .msc usage, while accounting for legitimate administration needs.
- Harden and monitor administrator workstations and servers where MMC use is expected and high-impact.
- Document detection coverage and exceptions as compliance and incident-response evidence.
Analyst notes and limits
This take is based on the detection strategy name, its external ATT&CK reference DET0222, and the relationship showing it detects T1218.014 MMC. The related technique description supports Windows MMC proxy execution of malicious .msc files and use of signed Microsoft tooling. No vendor-specific detection logic, exploitation claims, or attribution are provided by the supplied object.
The detection strategy has no official description, no official detection text, no tactics, and no platforms specified directly. Platform and tactic context come only from the related MMC technique, which lists Windows and stealth. Local telemetry availability and normal MMC administrative use must be confirmed before judging coverage or risk.
Detecting MMC (.msc) Proxy Execution and Malicious COM Activation
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 06abe5a7826f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0222Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.