GrimResource abuses Microsoft Management Console (MMC) files to execute arbitrary code with minimal detection. Here's how it works and how to defend against it.
Discovered by Elastic Security Labs, the GrimResource technique exploits a long-standing cross-site scripting flaw in Microsoft Management Console (MMC) snap-ins to execute arbitrary code with minimal detection. The attack uses crafted .msc files delivered via phishing.
How It Works
A specially crafted .msc file references a vulnerable XSL stylesheet that, when opened by mmc.exe, runs attacker-controlled JavaScript via the legacy apds.dll. From JavaScript, the attacker reaches a DotNetToJScript or similar pattern to load .NET assemblies in memory — bypassing many traditional defenses because the parent process is the trusted mmc.exe.
Detection and Mitigation
- Hunt for mmc.exe spawning unusual children (powershell.exe, cmd.exe, regsvr32.exe).
- Block .msc files at the email gateway and prompt users on download.
- Application control (WDAC, AppLocker) to constrain what mmc.exe can launch.
- Detection rules for apds.dll loads in unusual contexts.
- EDR rules for in-memory .NET load chains following mmc.exe execution.
GrimResource is a reminder that LOLBins remain a productive area for both attackers and defenders.
