GrimResource Attack Exploits Old XSS Flaw in Microsoft Management Console

A novel attack technique, dubbed GrimResource, manipulates the Microsoft Management Console (mmc.exe) to execute arbitrary code. It was recently unveiled by Elastic security researchers Joe Desimone and Samir Bousseaden. This method exploits a known cross-site scripting (XSS) flaw in the apds.dll library, leveraging a vulnerability in the APDS resource to trigger malicious script execution within an .msc file. As articulated by Elastic researchers, "Attackers can combine this technique with DotNetToJScript to gain arbitrary code execution, which can lead to unauthorized access, system takeover, and more." This security threat emerges from the attackers' ability to operate under the radar, evading defenses and initiating attacks with just a user's click on a maliciously crafted MSC file.

The mechanics of the GrimResource technique begin with the execution of mmc.exe, which processes a specifically crafted MSC file containing an embedded VBScript utilizing the "DotNetToJs" technique. DotNetToJs involves generating a JScript to bootstrap and execute an arbitrary .NET assembly and class, facilitating the running of managed code within environments that typically execute JScript. This leads to the loading of PASTALOADER, bridging to the next stage of the attack by spawning a new instance of dllhost.exe and employing process injection to further evade defenses. "This is done in a deliberately stealthy manner using the DirtyCLR technique, function unhooking, and indirect syscalls. In this sample, the final payload is Cobalt Strike," Elastic explains. This setup leads to the deployment of Cobalt Strike.

The relevance of this technique and the implementation of compensating detections are crucial as threat actors continue to adopt new attack methods. As the researchers point out, "After Microsoft disabled Office macros by default for internet-sourced documents, other infection vectors like JavaScript, MSI files, LNK objects, and ISOs have surged in popularity."