From d6e3d7016d83cf57a69bd183953340a2fdbfc7df Mon Sep 17 00:00:00 2001
From: Fred Cyber Security <fredrikcyber@gmail.com>
Date: Sun, 1 Jun 2025 14:04:47 +0200
Subject: [PATCH] Update Mmc.yml (#437)

Co-authored-by: Wietze <wietze@users.noreply.github.com>
---
 yml/OSBinaries/Mmc.yml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/yml/OSBinaries/Mmc.yml b/yml/OSBinaries/Mmc.yml
index 44eefd4..072b59b 100644
--- a/yml/OSBinaries/Mmc.yml
+++ b/yml/OSBinaries/Mmc.yml
@@ -22,6 +22,15 @@ Commands:
     OperatingSystem: Windows 10 (and possibly earlier versions), Windows 11
     Tags:
       - Execute: DLL
+  - Command: mmc.exe -Embedding {PATH_ABSOLUTE:.msc}
+    Description: Download and save an executable to disk
+    Usecase: Download file from Internet
+    Category: Download
+    Privileges: User
+    MitreID: T1218.014
+    OperatingSystem: Windows 10 (and possibly earlier versions), Windows 11
+    Tags:
+      - Application: GUI
 Full_Path:
   - Path: C:\Windows\System32\mmc.exe
   - Path: C:\Windows\SysWOW64\mmc.exe
@@ -31,8 +40,10 @@ Detection:
 Resources:
   - Link: https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
   - Link: https://offsec.almond.consulting/UAC-bypass-dotnet.html
+  - Link: https://www.youtube.com/watch?v=LFgZOTmhzeA
 Acknowledgement:
   - Person: Jimmy
     Handle: '@bohops'
   - Person: clem
     Handle: '@clavoillotte'
+  - Person: Fredrik H. Brathen