Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

GrimResource Exploits MSC Files and XSS Flaw

June 21, 2024
Reading Time: 2 mins read
in Alerts
GrimResource Exploits MSC Files and XSS Flaw

A new command execution technique known as GrimResource has emerged, utilizing Microsoft Saved Console (MSC) files and an unpatched Windows XSS vulnerability to execute arbitrary code via the Microsoft Management Console. This technique leverages MSC files, a type used for managing system tools, and exploits an old cross-site scripting (XSS) flaw in the `apds.dll` library. The attack involves a specially crafted MSC file that triggers JavaScript execution in the context of the `mmc.exe` process, allowing the deployment of malware like Cobalt Strike.

Since July 2022, attackers have shifted tactics due to changes in Microsoft’s handling of macros in Office, initially turning to file types like ISO images and password-protected ZIP files. After these were patched, they moved to new file types such as Windows Shortcuts and OneNote files. The latest shift involves MSC files, which are now being used to circumvent security measures that were put in place to detect previous attack methods. The malicious MSC file contains code that exploits the XSS vulnerability to execute arbitrary JavaScript.

The GrimResource attack was recently observed in a sample uploaded to VirusTotal in June 2024. This sample uses the GrimResource technique to deploy Cobalt Strike, a popular tool for initial network access, and demonstrates the ongoing threat posed by unpatched vulnerabilities. The XSS flaw in question, reported in 2018, remains unpatched in the latest Windows versions, raising concerns about its exploitation in ongoing cyber campaigns.

To mitigate the risks associated with GrimResource, system administrators are advised to monitor for suspicious activities involving `apds.dll` and `mmc.exe`, as well as look for unusual .NET COM object creation and temporary HTML files created in the INetCache folder. Elastic Security has provided a list of indicators and YARA rules on GitHub to help detect and defend against these attacks, emphasizing the need for vigilance in identifying and responding to these sophisticated threats.

Reference:

  • New GrimResource Attack Uses MSC Files and XSS Flaw for Code Execution
Tags: Cobalt StrikeCyber AlertsCyber Alerts 2024Cyber threatsGrimResourceJavascriptJune 2024MicrosoftVulnerability
ADVERTISEMENT

Related Posts

Fileless Remcos RAT Delivery Via LNK Files

APT28 RoundPress Webmail Hack Steals Emails

May 16, 2025
Fileless Remcos RAT Delivery Via LNK Files

FBI Warns of AI Voice Phishing Scams

May 16, 2025
Fileless Remcos RAT Delivery Via LNK Files

Fileless Remcos RAT Delivery Via LNK Files

May 16, 2025
HTTPBot DDoS Threat To Windows Systems

Horabot Malware Targets LatAm Via Phishing

May 15, 2025
HTTPBot DDoS Threat To Windows Systems

Google Patches Chrome Account Takeover Bug

May 15, 2025
HTTPBot DDoS Threat To Windows Systems

HTTPBot DDoS Threat To Windows Systems

May 15, 2025

Latest Alerts

Fileless Remcos RAT Delivery Via LNK Files

FBI Warns of AI Voice Phishing Scams

APT28 RoundPress Webmail Hack Steals Emails

Google Patches Chrome Account Takeover Bug

Horabot Malware Targets LatAm Via Phishing

HTTPBot DDoS Threat To Windows Systems

Subscribe to our newsletter

    Latest Incidents

    Hackers Target Swiss Reserve Power Plant

    Coinbase Insider Attack Exposed User Data

    Cyberattack Hits J Batista Group

    Dior Breach Exposes Asian Customer Data

    Australian Human Rights Body Files Leaked

    Nucor Cyberattack Halts Plants Networks

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial