New Attack Technique Exploits Microsoft Management Console Files

New Attack Technique Exploits Microsoft Management Console Files

June 25, 2024 at 07:51AM

Threat actors are using a novel attack technique, named GrimResource, to exploit a vulnerability in Microsoft Management Console (MMC) using maliciously crafted .MSC files. This technique allows for arbitrary code execution and has been used by the Kimsuky hacking group. The approach bypasses security measures and can lead to system takeover.

From the meeting notes provided, the key takeaways are:

– Threat actors are leveraging a novel attack technique using specially crafted management saved console (MSC) files to gain full code execution in Microsoft Management Console (MMC) and evade security defenses.

– Elastic Security Labs has codenamed this approach “GrimResource” after identifying a specific artifact (“sccm-updater.msc”) uploaded to the VirusTotal malware scanning platform.

– The use of uncommon file types as a malware distribution vector, such as MSC files, is becoming an alternative attempt by adversaries to bypass security measures.

– The technique exploits a cross-site scripting (XSS) flaw in the apds.dll library to execute arbitrary JavaScript code in the context of MMC, and it can be combined with DotNetToJScript to gain arbitrary code execution.

– After Microsoft disabled Office macros by default for internet-sourced documents, other infection vectors such as JavaScript, MSI files, LNK objects, and ISOs have surged in popularity, prompting attackers to develop new techniques like executing arbitrary code in MMC using crafted MSC files.

These takeaways highlight the emergence of a new attack technique and the evolving methods used by threat actors to bypass security measures.

Full Article