New Command Execution Method 'GrimResource' Allows Attackers To Execute Code Via Microsoft Management Console

A novel command execution technique called 'GrimResource' leverages crafted MSC files and an unpatched Windows XSS flaw to execute code via the Microsoft Management Console. After Microsoft disabled macros in Office by default in July 2022, attackers experimented with various file types for phishing, eventually moving to MSC files. Elastic discovered this new technique, motivated by research from Genian, involving the use of an old XSS flaw to deploy Cobalt Strike. This method is currently active, with samples found on VirusTotal not being flagged as malicious by antivirus engines. Read more...