Elastic discovers new attack vector in Microsoft Management Console

Elastic Security Labs has discovered a new execution technique named GrimResource, which can allow attackers to achieve full code execution in the Microsoft Management Console (mmc.exe) with minimal security warnings following the user’s interaction with a specially crafted MSC file. This revelation highlights the increasing innovation in attack methodologies tailored to circumvent current security measures.

The mechanism behind GrimResource exploits a vulnerability within one of the Microsoft Management Console (MMC) libraries. When a maliciously designed console file is introduced, the vulnerability can be manipulated to execute adversary code, including malware. Elastic Security Labs has observed this technique being deployed in-the-wild, indicating its active use by attackers. A sample utilizing GrimResource was first submitted to VirusTotal on 6th June of this year.

Attackers looking to leverage GrimResource can also use the DotNetToJScript method to execute arbitrary code, leading to potential unauthorized access or complete system takeover. This combination underscores a sophisticated level of threat actors seeking to use novel strategies for system compromise.

The detailed analysis provided by Elastic Security Labs outlines several key aspects of the GrimResource technique. It uses an old Cross-site scripting (XSS) flaw present in the apds.dll library by embedding a reference to the APDS resource within the StringTable section of an MSC file. This setup allows the execution of arbitrary JavaScript within the mmc.exe context. Further technical investigation has shown that attackers employ obfuscation methods, such as the transformNode technique, to evade ActiveX security warnings. This obfuscation renders detection more challenging for standard security mechanisms.

This technique progresses by deploying an obfuscated VBScript, which sets environment variables for the target payload. Subsequently, the DotNetToJScript method executes an embedded .NET loader, termed PASTALOADER. PASTALOADER, a crucial component identified by Elastic, retrieves the payload from the environment variables and initializes a dllhost.exe instance, injecting the payload stealthily using methods like DirtyCLR and indirect syscalls. In this instance, the final payload detected was Cobalt Strike, a commonly used penetration testing tool that has been repurposed for malicious activities.

Elastic Security Labs has also identified specific detection rules and strategies to mitigate this threat. For instance, the identification of suspicious executions via the Microsoft Management Console and the use of .NET COM objects in non-standard script interpreters were both highlighted as significant detection methodologies. These detections involve monitoring for RWX memory allocations from trusted .NET processes that align with the observed technique.

Additional detections include observing the creation of temporary HTML files within the INetCache folder, labeled as 'redirect[*]', which are indicative of the APDS XSS redirection technique. Elastic provides YARA rules and Elastic Defend file open events policies to assist the cybersecurity community in implementing robust defensive measures against this execution technique.