Good find by Elastic - possibly North Korean based threat actors using an unfixed bug in Windows to execute code, undetected across all vendors until that point (and as of writing only Elastic detect still)
@GossiTheDog is this using an embedded iframe in MMC that has all the security turned off? I’ve always wondered about that scenario but never did anything. Will look more soon thx.
@SwiftOnSecurity essentially. I was looking at VirusTotal just now, apparently .msc misuse has been supercharged for a while now, e.g. I can see red teams using WebDAV paths in icon parameters to get SMB hashes