Microsoft Management Console Flaw Lets Hackers Run Remote Code!

Attackers are leveraging a new infection technique called GrimResource that exploits a vulnerability in MMC (Microsoft Management Console) to gain initial access to a system by using specially crafted MSC files that trigger a code execution vulnerability in mmc.exe when clicked by a user. 

GrimResource is attractive to attackers because it allows them to bypass security measures like disabled macros and offers minimal warnings to the user, which highlights the need for updated detection methods to protect against these novel infection vectors. 

VirusTotal results

The GrimResource attack leverages a known XSS flaw in apds.dll to execute arbitrary JavaScript within mmc.exe, where attackers utilize a crafted MSC file with a reference to the vulnerable APDS resource and obfuscated VBScript to achieve this. 

The VBScript sets environment variables containing the payload and employs DotNetToJs to execute a.NET loader named PASTALOADER, which retrieves the payload from the environment variables, launches a new dllhost.exe instance, and injects the payload using DirtyCLR, function unhooking, and indirect syscalls, where Cobalt Strike was observed as the final payload in this instance.  

Payload injected into dllhost.exe

The existing detection for suspicious execution via Microsoft Common Console (MSC) was designed for a different technique and isn’t ideal for the new “GrimResource” method. 

It focuses on the “Console Taskpads” attribute within MSC files, which isn’t used by GrimResource, which injects malicious code into a spawned “dllhost.exe” process, triggering a generic detection instead of the specific MSC execution detection. 

Command task MSC sample

The alert identifies a potentially malicious technique using the.NET Framework to create COM objects within non-standard Windows Script Host (WSH) environments like VBScript or JScript. The detection focuses on the.NET loader allocating RWX (read, write, execute) memory, which is unusual for scripting engines. 

The rule examines the call stack to confirm the allocation originates from a WSH script engine (jscript.dll, vbscript.dll) interacting with core.NET libraries (mscoree.dll, combase.dll), which bypasses typical scripting limitations and warrants investigation. 

mmc.exe: allocating RWX memory

Attackers exploit a vulnerability in MMC console files (MSC) to execute malicious scripts by leveraging apds.dll to achieve this by injecting JavaScript code through a technique called GrimResource. 

According to Elastic Security Labs, standard security tools might miss this due to mmc.exe typically loading scripting libraries like jscript.dll. However, suspicious activity is revealed when mmc.exe attempts to open apds.dll, which signifies a potential script execution attempt via the MMC console. 

Timeline showing the script execution with the MMC console

A method attackers use to execute malicious scripts through MMC console files is by exploiting a vulnerability in APDS to redirect the user to a temporary HTML file containing malicious JavaScript code. 

This behavior can be detected by monitoring system events for MMC, starting with an MSC file and the creation of a specific temporary HTML file in the user’s INetCache folder. A YARA rule is provided to identify similar malicious files based on specific strings present in their code. 

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here