Security News > 2024 > June > New attack uses MSC files and Windows XSS flaw to breach networks
A novel command execution technique dubbed 'GrimResource' uses specially crafted MSC and an unpatched Windows XSS flaw to perform code execution via the Microsoft Management Console.
After Microsoft fixed this issue in ISO files and 7-Zip added the option to propagate MoTW flags, attackers were forced to switch to new attachments, such as Windows Shortcuts and OneNote files.
Attackers have now switched to a new file type, Windows MSC files, which are used in the Microsoft Management Console to manage various aspects of the operating system or create custom views of commonly accessed tools.
Motivated by this research, the Elastic team discovered a new technique of distributing MSC files and abusing an old but unpatched Windows XSS flaw in apds.
The GrimResource attack begins with a malicious MSC file that attempts to exploit an old DOM-based cross-site scripting flaw in the 'apds.
Elastic Security has also published a complete list of GrimResource indicators on GitHub and provided YARA rules in the report to help defenders detect suspicious MSC files.
News URL
Related news
- Windows Update downgrade attack "unpatches" fully-updated systems (source)
- “Perfect” Windows downgrade attack turns fixed vulnerabilities into zero-days (source)
- Windows Downgrade Attack Risks Exposing Patched Systems to Old Vulnerabilities (source)
- PEAKLIGHT Downloader Deployed in Attacks Targeting Windows with Malicious Movie Downloads (source)
- Novel attack on Windows spotted in phishing campaign run from and targeting China (source)
- OpenBAS: Open-source breach and attack simulation platform (source)
- Microsoft says it broke some Windows 10 patching – as it fixes flaws under attack (source)
- Windows vulnerability abused braille “spaces” in zero-day attacks (source)
- CISA warns of Windows flaw used in infostealer malware attacks (source)