Organizations' networks could be compromised through the new GrimResource command execution attack technique, which involves the exploitation of Microsoft Saved Console files and a Windows cross-site scripting vulnerability that has not been patched since its discovery in 2018, reports BleepingComputer.
Intrusions commenced with a malicious MSC file targeting a DOM-based XSS flaw in the 'apds.dll' library, which could be jointly used with the 'DotNetToJScript' technique to facilitate arbitrary .NET code execution and the eventual deployment of a Cobalt Strike payload in the Microsoft Management Console, according to a report from Elastic Security Labs. Ongoing exploitation of the GrimResource technique should prompt organizations' system administrators to be wary of file operations that involve mmc.exe-invoked apds.dll, mmc.exe RWX memory allocations, questionable MCC-based executions, atypical .NET COM objects, and temporary HTML files stemming from APDS XSS redirection, according to Elastic Security researchers, who also gave YARA rules for suspicious MSC file detection.
