T1218.014: MMC
Adversaries may abuse mmc.exe to proxy execution of malicious .msc files. Microsoft Management Console (MMC) is a binary that may be signed by Microsoft and is used in several ways in either its GUI or in a command prompt.[1][2] MMC can be used to create, open, and save custom consoles that contain administrative tools created by Microsoft, called snap-ins. These snap-ins may be used to manage Windows systems locally or remotely. MMC can also be used to open Microsoft created .msc files to manage system configuration.[3]
For example, mmc C:\Users\foo\admintools.msc /a will open a custom, saved console msc file in author mode.[1] Another common example is mmc gpedit.msc, which will open the Group Policy Editor application window.
Adversaries may use MMC commands to perform malicious tasks. For example, mmc wbadmin.msc delete catalog -quiet deletes the backup catalog on the system (i.e. Inhibit System Recovery) without prompts to the user (Note: wbadmin.msc may only be present by default on Windows Server operating systems).[4][5]
Adversaries may also abuse MMC to execute malicious .msc files. For example, adversaries may first create a malicious registry Class Identifier (CLSID) subkey, which uniquely identifies a Component Object Model class object.[6] Then, adversaries may create custom consoles with the “Link to Web Address” snap-in that is linked to the malicious CLSID subkey.[7] Once the .msc file is saved, adversaries may invoke the malicious CLSID payload with the following command: mmc.exe -Embedding C:\path\to\test.msc.[8]
Analyst context for executives and security teams
MMC matters because it is a legitimate Windows administrative console that can be used to run or load .msc console files in ways that blend with normal administration. For leaders, the risk is not simply “mmc.exe ran”; it is that a trusted Windows binary may be used to proxy malicious content, manipulate administrative tools, or support actions such as deleting a backup catalog without obvious malware-like execution.
Executive priority
Treat this as a Windows resilience and control-validation issue. Ask whether the organization can distinguish routine administrator use of MMC from unusual .msc execution, COM/CLSID-related abuse, and backup-recovery interference. This is especially relevant for SOC readiness, incident response triage, application control decisions, and evidence that recovery controls are protected from misuse.
Technical view
This is a Windows sub-technique under System Binary Proxy Execution. Validate visibility into mmc.exe executions, command-line arguments, .msc paths, author-mode or embedding-style usage, and suspicious use of administrative console files. The ATT&CK description highlights malicious .msc files, COM CLSID registry abuse, and an example involving wbadmin.msc delete catalog -quiet, which should drive detection engineering toward command-line context, registry change context, and backup-recovery impact triage. ATT&CK provides no official detection text, but relationship context includes DET0222 for detecting MMC .msc proxy execution and malicious COM activation.
Likely telemetry
- Windows process creation events for mmc.exe with full command line and parent process context
- File telemetry for .msc files, especially custom consoles or consoles launched from user-writable or unusual paths
- Registry telemetry for CLSID/COM-related key creation or modification
- Administrative tool usage evidence involving Microsoft-created .msc files such as gpedit.msc or wbadmin.msc where present
- Backup catalog or recovery-related command evidence when mmc/wbadmin-related console activity is observed
Detection direction
- Baseline legitimate MMC usage by administrators and management workflows before alerting broadly on mmc.exe alone.
- Prioritize unusual .msc file paths, custom console usage, embedding-style invocation, and command lines that include recovery-impacting actions such as delete catalog -quiet.
- Correlate mmc.exe activity with recent CLSID/COM registry changes, because the technique description includes malicious CLSID subkey abuse through custom consoles.
- Tune for false positives from normal Windows administration, Group Policy editing, and server management consoles.
- Use ATT&CK relationship DET0222 as the detection-strategy anchor, but validate locally that required process, file, and registry telemetry is actually collected.
Mitigation priorities
- Apply execution prevention controls for unauthorized or malicious code, aligned to M1038, while accounting for the fact that mmc.exe itself is a legitimate signed Windows binary.
- Use application control policy to restrict untrusted .msc execution paths and reduce reliance on signature trust alone.
- Disable or remove unnecessary features, programs, or administrative surfaces where feasible, aligned to M1042.
- Protect backup and recovery administration workflows so console-based deletion or recovery interference is reviewed and limited to authorized operators.
- Document approved MMC use cases for compliance and incident response so exceptions are intentional rather than discovered during an investigation.
Analyst notes and limits
ATT&CK maps this technique to Windows and the stealth tactic, and identifies it as a sub-technique of System Binary Proxy Execution. Relationship context also lists use by C0047 RedDelta Modified PlugX Infection Chain Operations and G1051 Medusa Group; this should inform threat-intelligence enrichment, not be treated as evidence of activity in a local environment.
The official ATT&CK detection field is not provided for this object. The take is based only on the supplied description, references, and relationships; local baselines, telemetry availability, and administrative practices are required to determine practical detection fidelity.
MMC
Adversaries may abuse mmc.exe to proxy execution of malicious .msc files. Microsoft Management Console (MMC) is a binary that may be signed by Microsoft and is used in several ways in either its GUI or in a command prompt.[1][2] MMC can be used to create, open, and save custom consoles that contain administrative tools created by Microsoft, called snap-ins. These snap-ins may be used to manage Windows systems locally or remotely. MMC can also be used to open Microsoft created .msc files to manage system configuration.[3]
For example, mmc C:\Users\foo\admintools.msc /a will open a custom, saved console msc file in author mode.[1] Another common example is mmc gpedit.msc, which will open the Group Policy Editor application window.
Adversaries may use MMC commands to perform malicious tasks. For example, mmc wbadmin.msc delete catalog -quiet deletes the backup catalog on the system (i.e. Inhibit System Recovery) without prompts to the user (Note: wbadmin.msc may only be present by default on Windows Server operating systems).[4][5]
Adversaries may also abuse MMC to execute malicious .msc files. For example, adversaries may first create a malicious registry Class Identifier (CLSID) subkey, which uniquely identifies a Component Object Model class object.[6] Then, adversaries may create custom consoles with the “Link to Web Address” snap-in that is linked to the malicious CLSID subkey.[7] Once the .msc file is saved, adversaries may invoke the malicious CLSID payload with the following command: mmc.exe -Embedding C:\path\to\test.msc.[8]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1218 | System Binary Proxy Execution | This object subtechnique of System Binary Proxy Execution. |
Groups, software, and campaigns
G1051: Medusa Group
Medusa Group has been active since at least 2021 and was initially operated as a closed ransomware group before evolving into a Ransomware-as-a-Service (RaaS) operation. Some reporting indicates that certain attacks may still be conducted directly by the ransomware’s core developers. Public sources have also referred to the group as “Spearwing” or “Medusa Actors.” [1] [2] Medusa Group employs living-off-the-land techniques, frequently leveraging publicly available tools and common remote management software to conduct operations. The group engages in double extortion tactics, exfiltrating data prior to encryption and threatening to publish stolen information if ransom demands are not met. [3] For initial access, Medusa Group has exploited publicly known vulnerabilities, conducted phishing campaigns, and used credentials or access purchased from Initial Access Brokers (IABs). The group is opportunistic and has targeted a wide range of sectors globally. [4]
C0047: RedDelta Modified PlugX Infection Chain Operations
RedDelta Modified PlugX Infection Chain Operations was executed by Mustang Panda from mid-2023 through the end of 2024 against multiple entities in East and Southeast Asia. RedDelta Modified PlugX Infection Chain Operations involved phishing to deliver malicious files or links to users prompting follow-on installer downloads to load PlugX on victim machines in a persistent state.[1]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 3.0 | Current bundle | b907bc7be8bd… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
win_mmc
Microsoft. (2017, October 16). mmc. Retrieved September 20, 2021.
Open source URL -
[2]
what_is_mmc
Microsoft. (2020, September 27). What is Microsoft Management Console?. Retrieved October 5, 2021.
Open source URL -
[3]
win_msc_files_overview
Brinkmann, M.. (2017, June 10). Windows .msc files overview. Retrieved September 20, 2021.
Open source URL -
[4]
win_wbadmin_delete_catalog
Microsoft. (2017, October 16). wbadmin delete catalog. Retrieved September 20, 2021.
Open source URL -
[5]
phobos_virustotal
Phobos Ransomware. (2020, December 30). Phobos Ransomware, Fast.exe. Retrieved September 20, 2021.
Open source URL -
[6]
win_clsid_key
Microsoft. (2018, May 31). CLSID Key. Retrieved September 24, 2021.
Open source URL -
[7]
mmc_vulns
Boxiner, A., Vaknin, E. (2019, June 11). Microsoft Management Console (MMC) Vulnerabilities. Retrieved September 24, 2021.
Open source URL -
[8]
abusing_com_reg
bohops. (2018, August 18). ABUSING THE COM REGISTRY STRUCTURE (PART 2): HIJACKING & LOADING TECHNIQUES. Retrieved September 20, 2021.
Open source URL -
[9]
mitre-attack T1218.014Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.