GrimResource - Microsoft Management Console for initial access and evasion

June 27, 2024, 5:26 p.m.

Description

A novel, in-the-wild code execution technique leveraging Microsoft Management Console files (MSC) has been identified by Elastic Security researchers and was first spotted in the wild in June 2016 and is currently being investigated by VirusTotal.

External References

https://www.elastic.co/security-labs/grimresource
https://otx.alienvault.com/pulse/667d9b3db0a27398841a0900
Tags
cobalt strike
execution
vbscript
jscript
2024-06-27
msc file
mmc console
grimresource
console
pastaloader
windows script

Date

  • Created: June 27, 2024, 5:02 p.m.
  • Published: June 27, 2024, 5:02 p.m.
  • Modified: June 27, 2024, 5:26 p.m.

Indicators

  • c1bba723f79282dceed4b8c40123c72a5dfcf4e3ff7dd48db8cb6c8772b60b88
  • 4cb575bc114d39f8f1e66d6e7c453987639289a28cd83a7d802744cd99087fd7
  • 14bcb7196143fd2b800385e9b32cfacd837007b0face71a73b546b53310258bb
Download all indicators here!

Attack Patterns

  • Cobalt Strike