June 24, 2024 at 03:06PM
A novel command execution technique, ‘GrimResource,’ leverages an unpatched Windows XSS flaw and specially crafted MSC files to deploy malware. This technique successfully evades detection and current antivirus engines. The attack begins with a malicious MSC file exploiting a known XSS vulnerability, ultimately leading to the deployment of Cobalt Strike and execution of arbitrary commands.
Based on the provided meeting notes, it appears there is a new command execution technique called “GrimResource” that exploits an unpatched Windows XSS flaw and utilizes specially crafted MSC files to perform code execution via the Microsoft Management Console (MMC). The attack was discovered by the Elastic team, and a sample leveraging GrimResource was recently uploaded to VirusTotal, indicating active exploitation in the wild.
The attack begins with a malicious MSC file that exploits an old DOM-based cross-site scripting (XSS) flaw in the ‘apds.dll’ library. This allows the execution of arbitrary JavaScript through a crafted URL. The attacked MSC file contains references to the vulnerable APDS resource in the StringTable section, so when the target opens it, MMC processes it and triggers the JavaScript execution in the context of ‘mmc.exe.’
The XSS flaw can be combined with the ‘DotNetToJScript’ technique to execute arbitrary .NET code through the JavaScript engine, bypassing security measures. The examined sample also uses obfuscation techniques to evade ActiveX warnings, reconstructs a VBScript that loads a .NET component named ‘PASTALOADER,’ retrieves a Cobalt Strike payload, spawns a new instance of ‘dllhost.exe,’ and injects it using various techniques.
System administrators are advised to be on the lookout for specific file operations involving apds.dll invoked by mmc.exe, suspicious executions via MCC with .msc file arguments, unusual .NET COM object creation within non-standard script interpreters, among other indicators.
Additionally, Elastic Security has published a complete list of GrimResource indicators on GitHub and provided YARA rules in the report to help defenders detect suspicious MSC files.
The researchers confirmed that the XSS flaw is still unpatched in the latest version of Windows 11, and there are currently no antivirus engines on VirusTotal that flag the uploaded sample as malicious.
The meeting notes also mention related articles on Microsoft updates and deprecations, such as Microsoft Photos update, deprecation of Windows DirectAccess, and the June 2024 Patch Tuesday fixes.
Let me know if there’s anything else you need assistance with regarding these meeting notes.