GrimResource Attack Detection: A New Infection Technique Abuses Microsoft Management Console to Gain Full Code Execution
Table of contents:
Cybersecurity researchers discovered a new code execution technique that employs specially crafted MSC files and a Windows XSS flaw. The newly uncovered infection technique, dubbed GrimResource, allows attackers to perform code execution in the Microsoft Management Console (MMC). Defenders discovered a sample using GrimResource that was recently uploaded to VirusTotal in early June 2024, indicating that the new infection technique is being actively exploited in the wild.
Detect GrimResource Attacks
With the ever-growing attack surface, adversaries are relentlessly innovating infection methods to extend their reach, avoid detection, and target new victims. The discovery of a new in-the-wild attack technique termed GrimResource that exploits MMC for initial access and evasion, leading to code execution, underscores the need for future-proof defensive measures to thwart sophisticated offensive efforts. SOC Prime Platform for collective cyber defense equips security teams with a set of curated Sigma rules for GrimResource attack detection, helping them stay ahead of adversaries no matter the organization’s size, level of cybersecurity maturity, or environment needs.
Click the Explore Detections button below to obtain the list of relevant SOC content enriched with actionable CTI, linked to MITRE ATT&CK®, and available for use across industry-leading SIEM, EDR, and Data Lake solutions depending on the tech stack your organization relies on.
GrimResource Attack Analysis
Attackers continually exploit novel methods to bypass defenses and spread the infection after gaining access to the targeted environments. Following Microsoft’s default disabling of Office macros for documents sourced from the internet, alternative attack vectors have become increasingly popular. For instance, attackers started abusing new attachments, such as Windows Shortcuts and OneNote files, to steal credentials and distribute malware. Adversaries are currently setting their eyes on weaponizing Windows MSC files, which are leveraged in the Microsoft Management Console to manage different aspects of the operating system or to create customized views for commonly accessed tools.
Elastic researchers have recently identified a new infection technique dubbed GrimResource that weaponizes MSC files. After a user opens a specially crafted MSC file, attackers can execute arbitrary code within the context of mmc.exe.
The attack flow starts with a harmful MSC file that tries to exploit an old DOM-based XSS flaw in the “apds.dll” library, enabling arbitrary JavaScript execution via a crafted URL. This security bug was reported to Adobe and Microsoft in October 2018; however, the issue remained unpatched. Exploiting the XSS vulnerability can be paired with the “DotNetToJScript” technique to execute arbitrary .NET code via the JavaScript engine, effectively bypassing existing security measures.
The discovered sample leverages the transformNode obfuscation to bypass ActiveX warnings, and the JavaScript code reconstructs a VBScript that utilizes DotNetToJScript to load a .NET component dubbed PASTALOADER. The latter retrieves the payload from environment variables defined by the VBScript. Subsequently, PASTALOADER initiates a new process of dllhost.exe and injects the payload into it using multiple detection evasion methods. In the examined sample, attackers deployed Cobalt Strike.
As the GrimResource offensive technique is actively used in in-the-wild attacks, organizations are looking for ways to timely identify potential infections and proactively thwart sophisticated intrusions. By relying on SOC Prime’s Attack Detective, security teams can promptly address emerging threats before they escalate and gain real-time visibility of the organization’s cybersecurity posture against attackers’ TTPs relevant to your threat profile while maximizing the value of security investments.