Suspicious Scheduled Task Creation of Legitimate MSC File - Security

Swachchhanda Shrawan Poudel (Nextron Systems)

Detection the creation of suspicious Windows Scheduled Tasks related to .msc files such as 'CompMgmt' or 'eventvwr'. These are legitimate Windows files to launch used to launch management tools and configure system settings. During their execution, they check the registry key `HKCU\Software\Classes\mscfile\shell\open\command` to determine the location of `mmc.exe`, which is used to open these files such as the `eventvwr.msc` or `CompMgmt.msc`. If the registry value is modified to point to a malicious binary, that binary will be executed instead of `mmc.exe` as a privileged process, bypassing the UAC prompt. Adversaries could exploit this by modifying the `HKCU\Software\Classes\mscfile\shell\open\command` registry key to point to a malicious binary, allowing it to run with elevated privileges without user consent bypassing UAC. For persistence, they could create a scheduled task to ensure the malicious binary is executed. Therefore, it is also recommended to verify whether the registry value has been tampered with or not to verify malicious activity.

2025-03-07 00:00:00

None

c2b40996-8010-487e-bf0d-26432fabc0b6

attack.persistence attack.t1053.005 attack.privilege-escalation attack.defense-evasion attack.t1548.002

Nextron Sigma feed only (private)