Microsoft Saved Console files, Windows XSS bug leveraged in novel attack

Organizations' networks could be compromised through the new GrimResource command execution attack technique, which involves the exploitation of Microsoft Saved Console files and a Windows cross-site scripting vulnerability that has not been patched since its discovery in 2018, reports BleepingComputer.

Intrusions commenced with a malicious MSC file targeting a DOM-based XSS flaw in the 'apds.dll' library, which could be jointly used with the 'DotNetToJScript' technique to facilitate arbitrary .NET code execution and the eventual deployment of a Cobalt Strike payload in the Microsoft Management Console, according to a report from Elastic Security Labs. Ongoing exploitation of the GrimResource technique should prompt organizations' system administrators to be wary of file operations that involve mmc.exe-invoked apds.dll, mmc.exe RWX memory allocations, questionable MCC-based executions, atypical .NET COM objects, and temporary HTML files stemming from APDS XSS redirection, according to Elastic Security researchers, who also gave YARA rules for suspicious MSC file detection.