GrimResource - Microsoft Management Console for initial access and evasion — Elastic Security Labs
Tags
| attack-pattern: | Data Indirect Exploits - T1587.004 Exploits - T1588.005 Javascript - T1059.007 Mmc - T1218.014 Tool - T1588.002 |
Common Information
| Type | Value |
|---|---|
| UUID | ec597a69-15e0-4074-b38e-3b246eb7720a |
| Fingerprint | 20d70b585db68921 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | June 22, 2024, midnight |
| Added to db | Aug. 31, 2024, 9:32 a.m. |
| Last updated | Nov. 17, 2024, 6:55 p.m. |
| Headline | GrimResource - Microsoft Management Console for initial access and evasion |
| Title | GrimResource - Microsoft Management Console for initial access and evasion — Elastic Security Labs |
| Detected Hints/Tags/Attributes | 45/1/28 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://www.elastic.co/security-labs/grimresource |
URL Provider
RSS Feed
| Details | Id | Enabled | Feed title | Url | Added to db |
|---|---|---|---|---|---|
| Details | 306 | ✔ | Elastic Security Labs | https://www.elastic.co/security-labs/rss/feed.xml | 2024-08-30 22:08 |
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 55 | process.name |
|
| Details | Domain | 5 | process.ext.api.name |
|
| Details | Domain | 1 | process.ext.api.parameters.protection |
|
| Details | Domain | 32 | file.name |
|
| Details | Domain | 101 | www.elastic.co |
|
| Details | File | 54 | mmc.exe |
|
| Details | File | 4 | apds.dll |
|
| Details | File | 172 | dllhost.exe |
|
| Details | File | 12 | parent.exe |
|
| Details | File | 49 | process.exe |
|
| Details | File | 51 | wermgr.exe |
|
| Details | File | 81 | werfault.exe |
|
| Details | File | 128 | msedge.exe |
|
| Details | File | 155 | cscript.exe |
|
| Details | File | 376 | wscript.exe |
|
| Details | File | 68 | mscoree.dll |
|
| Details | File | 21 | combase.dll |
|
| Details | File | 27 | jscript.dll |
|
| Details | File | 23 | vbscript.dll |
|
| Details | File | 29 | jscript9.dll |
|
| Details | File | 4 | chakra.dll |
|
| Details | File | 13 | clr.dll |
|
| Details | File | 7 | msxml3.dll |
|
| Details | sha256 | 1 | 14bcb7196143fd2b800385e9b32cfacd837007b0face71a73b546b53310258bb |
|
| Details | sha256 | 1 | 4cb575bc114d39f8f1e66d6e7c453987639289a28cd83a7d802744cd99087fd7 |
|
| Details | sha256 | 1 | c1bba723f79282dceed4b8c40123c72a5dfcf4e3ff7dd48db8cb6c8772b60b88 |
|
| Details | Url | 3 | https://www.elastic.co/security-labs/grimresource |
|
| Details | Yara rule | 1 | rule Windows_GrimResource_MMC {
meta:
author = "Elastic Security"
reference = "https://www.elastic.co/security-labs/GrimResource"
reference_sample = "14bcb7196143fd2b800385e9b32cfacd837007b0face71a73b546b53310258bb"
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "windows"
strings:
$xml = "<?xml"
$a = "MMC_ConsoleFile"
$b1 = "apds.dll"
$b2 = "res://"
$b3 = "javascript:eval("
$b4 = ".loadXML("
condition:
$xml at 0 and $a and 2 of ($b*)
} |