{
	"id": "bdaf2b91-bf2e-493b-922b-dd5b70290577",
	"created_at": "2026-04-06T00:21:38.571198Z",
	"updated_at": "2026-04-10T03:21:37.002322Z",
	"deleted_at": null,
	"sha1_hash": "a84b7b624f33ae20c176e832b68b07722c73706e",
	"title": "GrimResource - Microsoft Management Console for initial access and evasion",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4436039,
	"plain_text": "GrimResource - Microsoft Management Console for initial access and\r\nevasion\r\nBy Joe Desimone, Samir Bousseaden\r\nPublished: 2024-06-22 · Archived: 2026-04-05 23:08:51 UTC\r\nOverview\r\nAfter Microsoft disabled office macros by default for internet-sourced documents, other infection vectors like JavaScript,\r\nMSI files, LNK objects, and ISOs have surged in popularity. However, these other techniques are scrutinized by defenders\r\nand have a high likelihood of detection. Mature attackers seek to leverage new and undisclosed infection vectors to gain\r\naccess while evading defenses. A recent example involved DPRK actors using a new command execution technique in\r\nMSC files.\r\nElastic researchers have uncovered a new infection technique also leveraging MSC files, which we refer to as\r\nGrimResource. It allows attackers to gain full code execution in the context of mmc.exe after a user clicks on a specially\r\ncrafted MSC file. A sample leveraging GrimResource was first uploaded to VirusTotal on June 6th.\r\nKey takeaways\r\nElastic Security researchers uncovered a novel, in-the-wild code execution technique leveraging specially crafted\r\nMSC files referred to as GrimResource\r\nGrimResource allows attackers to execute arbitrary code in Microsoft Management Console ( mmc.exe ) with\r\nminimal security warnings, ideal for gaining initial access and evading defenses\r\nElastic is providing analysis of the technique and detection guidance so the community can protect themselves\r\nAnalysis\r\nThe key to the GrimResource technique is using an old XSS flaw present in the apds.dll library. By adding a reference\r\nto the vulnerable APDS resource in the appropriate StringTable section of a crafted MSC file, attackers can execute\r\narbitrary javascript in the context of mmc.exe . Attackers can combine this technique with DotNetToJScript to gain\r\narbitrary code execution.\r\nReference to apds.dll redirect in StringTable\r\nhttps://www.elastic.co/security-labs/grimresource\r\nPage 1 of 10\n\nAt the time of writing, the sample identified in the wild had 0 static detections in VirusTotal.\r\nVirusTotal results\r\nThe sample begins with a transformNode obfuscation technique, which was observed in recent but unrelated macro\r\nsamples. This aids in evading ActiveX security warnings.\r\ntransformNode evasion and obfuscation technique\r\nThis leads to an obfuscated embedded VBScript, as reconstructed below:\r\nhttps://www.elastic.co/security-labs/grimresource\r\nPage 2 of 10\n\nObfuscated VBScript\r\nThe VBScript sets the target payload in a series of environment variables and then leverages the DotNetToJs technique to\r\nexecute an embedded .NET loader. We named this component PASTALOADER and may release additional analysis on\r\nthis specific tool in the future.\r\nSetting the target payload environment variables\r\nDotNetToJs loading technique\r\nPASTALOADER retrieves the payload from environment variables set by the VBScript in the previous step:\r\nhttps://www.elastic.co/security-labs/grimresource\r\nPage 3 of 10\n\nPASTALOADER loader retrieving the payload\r\nFinally, PASTALOADER spawns a new instance of dllhost.exe and injects the payload into it. This is done in a\r\ndeliberately stealthy manner using the DirtyCLR technique, function unhooking, and indirect syscalls. In this sample, the\r\nfinal payload is Cobalt Strike.\r\nPayload injected into dllhost.exe\r\nDetections\r\nIn this section, we will examine current behavior detections for this sample and present new, more precise ones aimed at\r\nthe technique primitives.\r\nSuspicious Execution via Microsoft Common Console\r\nThis detection was established prior to our discovery of this new execution technique. It was originally designed to\r\nidentify a different method (which requires the user to click on the Taskpad after opening the MSC file) that exploits the\r\nsame MSC file type to execute commands through the Console Taskpads command line attribute:\r\nCommand task MSC sample\r\nhttps://www.elastic.co/security-labs/grimresource\r\nPage 4 of 10\n\nprocess where event.action == \"start\" and\r\n process.parent.executable : \"?:\\\\Windows\\\\System32\\\\mmc.exe\" and process.parent.args : \"*.msc\" and\r\n not process.parent.args : (\"?:\\\\Windows\\\\System32\\\\*.msc\", \"?:\\\\Windows\\\\SysWOW64\\\\*.msc\", \"?:\\\\Program files\\\\*.msc\",\r\n not process.executable :\r\n (\"?:\\\\Windows\\\\System32\\\\mmc.exe\",\r\n \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\r\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\r\n \"?:\\\\Windows\\\\SysWOW64\\\\mmc.exe\",\r\n \"?:\\\\Program Files\\\\*.exe\",\r\n \"?:\\\\Program Files (x86)\\\\*.exe\",\r\n \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\*.EXE\",\r\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\")\r\nIt triggers here because this sample opted to spawn and inject a sacrificial instance of dllhost.exe:\r\nGrimResource detected\r\n.NET COM object created in non-standard Windows Script Interpreter\r\nThe sample is using the DotNetToJScript technique, which triggers another detection looking for RWX memory allocation\r\nfrom .NET on behalf of a Windows Script Host (WSH) script engine (Jscript or Vbscript):\r\nThe following EQL rule will detect execution via the .NET loader:\r\napi where\r\n not process.name : (\"cscript.exe\", \"wscript.exe\") and\r\n process.code_signature.trusted == true and\r\n process.code_signature.subject_name : \"Microsoft*\" and\r\n process.Ext.api.name == \"VirtualAlloc\" and\r\n process.Ext.api.parameters.allocation_type == \"RESERVE\" and\r\n process.Ext.api.parameters.protection == \"RWX\" and\r\n process.thread.Ext.call_stack_summary : (\r\n /* .NET is allocating executable memory on behalf of a WSH script engine\r\n * Note - this covers both .NET 2 and .NET 4 framework variants */\r\n \"*|mscoree.dll|combase.dll|jscript.dll|*\",\r\n \"*|mscoree.dll|combase.dll|vbscript.dll|*\",\r\nhttps://www.elastic.co/security-labs/grimresource\r\nPage 5 of 10\n\n\"*|mscoree.dll|combase.dll|jscript9.dll|*\",\r\n \"*|mscoree.dll|combase.dll|chakra.dll|*\"\r\n)\r\nThe following alert shows mmc.exe allocating RWX memory and the process.thread.Ext.call_stack_summary\r\ncaptures the origin of the allocation from vbscript.dll to clr.dll :\r\nmmc.exe allocating RWX memory\r\nScript Execution via MMC Console File\r\nThe two previous detections were triggered by specific implementation choices to weaponize the GrimResource method\r\n(DotNetToJS and spawning a child process). These detections can be bypassed by using more OPSEC-safe alternatives.\r\nOther behaviors that might initially seem suspicious — such as mmc.exe loading jscript.dll , vbscript.dll , and\r\nmsxml3.dll — can be clarified compared to benign data. We can see that, except for vbscript.dll , these WSH\r\nengines are typically loaded by mmc.exe :\r\nNormal library load behaviors by mmc.exe\r\nThe core aspect of this method involves using apds.dll to execute Jscript via XSS. This behavior is evident in the mmc.exe\r\nProcmon output as a CreateFile operation ( apds.dll is not loaded as a library):\r\nhttps://www.elastic.co/security-labs/grimresource\r\nPage 6 of 10\n\napds.dll being invoked in the MSC StringTable\r\nExample of the successful execution of GrimResource\r\nWe added the following detection using Elastic Defend file open events where the target file is apds.dll and the\r\nprocess.name is mmc.exe :\r\nThe following EQL rule will detect the execution of a script from the MMC console:\r\nsequence by process.entity_id with maxspan=1m\r\n [process where event.action == \"start\" and\r\n process.executable : \"?:\\\\Windows\\\\System32\\\\mmc.exe\" and process.args : \"*.msc\"]\r\n [file where event.action == \"open\" and file.path : \"?:\\\\Windows\\\\System32\\\\apds.dll\"]\r\nTimeline showing the script execution with the MMC console\r\nhttps://www.elastic.co/security-labs/grimresource\r\nPage 7 of 10\n\nWindows Script Execution via MMC Console File\r\nAnother detection and forensic artifact is the creation of a temporary HTML file in the INetCache folder, named\r\nredirect[*] as a result of the APDS XSS redirection:\r\nContents of redirect.html\r\nThe following EQL correlation can be used to detect this behavior while also capturing the msc file path:\r\nsequence by process.entity_id with maxspan=1m\r\n [process where event.action == \"start\" and\r\n process.executable : \"?:\\\\Windows\\\\System32\\\\mmc.exe\" and process.args : \"*.msc\"]\r\n [file where event.action in (\"creation\", \"overwrite\") and\r\n process.executable : \"?:\\\\Windows\\\\System32\\\\mmc.exe\" and file.name : \"redirect[?]\" and\r\n file.path : \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\INetCache\\\\IE\\\\*\\\\redirect[?]\"]\r\nhttps://www.elastic.co/security-labs/grimresource\r\nPage 8 of 10\n\nTimeline detecting redirect.html\r\nAlongside the provided behavior rules, the following YARA rule can be used to detect similar files:\r\nrule Windows_GrimResource_MMC {\r\n meta:\r\n author = \"Elastic Security\"\r\n reference = \"https://www.elastic.co/security-labs/GrimResource\"\r\n reference_sample = \"14bcb7196143fd2b800385e9b32cfacd837007b0face71a73b546b53310258bb\"\r\n arch_context = \"x86\"\r\n scan_context = \"file, memory\"\r\n license = \"Elastic License v2\"\r\n os = \"windows\"\r\n strings:\r\n $xml = \"\u003c?xml\"\r\n $a = \"MMC_ConsoleFile\"\r\n $b1 = \"apds.dll\"\r\n $b2 = \"res://\"\r\n $b3 = \"javascript:eval(\"\r\n $b4 = \".loadXML(\"\r\n condition:\r\n $xml at 0 and $a and 2 of ($b*)\r\n}\r\nConclusion\r\nAttackers have developed a new technique to execute arbitrary code in Microsoft Management Console using crafted\r\nMSC files. Elastic’s existing out of the box coverage shows our defense-in-depth approach is effective even against novel\r\nthreats like this. Defenders should leverage our detection guidance to protect themselves and their customers from this\r\ntechnique before it proliferates into commodity threat groups.\r\nObservables\r\nAll observables are also available for download in both ECS and STIX formats.\r\nThe following observables were discussed in this research.\r\nhttps://www.elastic.co/security-labs/grimresource\r\nPage 9 of 10\n\nObservable Type Name Reference\r\n14bcb7196143fd2b800385e9b32cfacd837007b0face71a73b546b53310258bb\r\nSHA-256sccm-updater.msc\r\nAbused MSC file\r\n4cb575bc114d39f8f1e66d6e7c453987639289a28cd83a7d802744cd99087fd7\r\nSHA-256\r\nN/A PASTALOADER\r\nc1bba723f79282dceed4b8c40123c72a5dfcf4e3ff7dd48db8cb6c8772b60b88\r\nSHA-256\r\nN/A\r\nCobalt Strike\r\npayload\r\nSource: https://www.elastic.co/security-labs/grimresource\r\nhttps://www.elastic.co/security-labs/grimresource\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.elastic.co/security-labs/grimresource"
	],
	"report_names": [
		"grimresource"
	],
	"threat_actors": [],
	"ts_created_at": 1775434898,
	"ts_updated_at": 1775791297,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a84b7b624f33ae20c176e832b68b07722c73706e.pdf",
		"text": "https://archive.orkl.eu/a84b7b624f33ae20c176e832b68b07722c73706e.txt",
		"img": "https://archive.orkl.eu/a84b7b624f33ae20c176e832b68b07722c73706e.jpg"
	}
}