We value your privacy

We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies.

Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

NewApp Digest
search bot

New Attack Technique Exploits Microsoft Management Console Files

June 25, 2024

Exploiting Novel Attack Technique with GrimResource

Threat actors have been identified exploiting a new attack technique using specially crafted management saved console (MSC) files to achieve full code execution through Microsoft Management Console (MMC) while evading security defenses.

The approach, codenamed GrimResource by Elastic Security Labs, was discovered after an artifact (“sccm-updater.msc”) was uploaded to the VirusTotal malware scanning platform on June 6, 2024.

According to the company, when a malicious console file is imported, a vulnerability in one of the MMC libraries can allow adversary code to run, potentially leading to malware execution. Attackers can combine this technique with DotNetToJScript to achieve arbitrary code execution, opening the door to unauthorized access and system takeover.

This method of using uncommon file types as a malware distribution vector is a creative attempt by adversaries to bypass security measures put in place by Microsoft, such as disabling macros in Office files downloaded from the internet.

The GrimResource technique exploits a cross-site scripting (XSS) flaw in the apds.dll library to execute JavaScript code within the context of MMC. Despite being reported to Microsoft and Adobe in 2018, the XSS flaw remains unpatched, allowing for the execution of JavaScript code when a malicious MSC file is opened using MMC.

Not only does this technique bypass ActiveX warnings, but it can also be combined with DotNetToJScript to achieve arbitrary code execution. The analyzed sample utilizes this approach to launch a .NET loader component called PASTALOADER, ultimately facilitating the deployment of Cobalt Strike.

Security researchers Joe Desimone and Samir Bousseaden noted that following Microsoft’s default disabling of Office macros for internet-sourced documents, alternative infection vectors like JavaScript, MSI files, LNK objects, and ISOs have gained popularity. However, these methods are closely monitored by defenders and are more likely to be detected, prompting attackers to develop new techniques like executing arbitrary code in Microsoft Management Console using crafted MSC files.

Winsage
New Attack Technique Exploits Microsoft Management Console Files