Conversation

Notices

1. Embed this notice
   Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 22-Jun-2024 09:00:54 JST Kevin Beaumont

   Good find by Elastic - North Korean based threat actors using an unfixed bug in Windows to execute code, undetected across all vendors until that point (and as of writing only Elastic detect still)

   They’ve named it GrimResource https://www.elastic.co/security-labs/grimresource

   #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 25-Jun-2024 19:46:48 JST Kevin Beaumont

     in reply to

     Still essentially zero detection for GrimResource. PoC that spawns calc: https://gist.github.com/joe-desimone/2b0bbee382c9bdfcac53f2349a379fa4

     #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 25-Jun-2024 22:56:43 JST Kevin Beaumont

     in reply to

     This GrimResource issue is.. Grim. Here's the PoC listed above, it's just easy code execution as the HTML code executes as the local computer context. I expect this one to explode in crimeware groups as it is so easy to exploit. Microsoft need to fix it.

     I can see clear historic misuse on VirusTotal - also red team firms using .msc files via MMC to, for example, get SMB hashes via WebDAV as it appears MMC just yolo contacts anything and auto logs in.

   • Embed this notice
     TheTomas (thetomas@social.toot9.de)'s status on Tuesday, 25-Jun-2024 23:09:09 JST TheTomas

     in reply to

     @GossiTheDog Again, Software Restriction Policies, deployed via GPO help... *sigh*

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 26-Jun-2024 19:53:38 JST Kevin Beaumont

     in reply to

     Microsoft Defender AV started rolling some detection coverage for GrimResource 🥳