Good find by Elastic - possibly North Korean based threat actors using an... - Random

GossiTheDog , vor 14 Tagen Englisch

Good find by Elastic - possibly North Korean based threat actors using an unfixed bug in Windows to execute code, undetected across all vendors until that point (and as of writing only Elastic detect still)

They’ve named it GrimResource https://www.elastic.co/security-labs/grimresource

#threatintel

Antworten

Melden

Aktivität

Ursprüngliche URL öffnen

Original-URL kopieren

Mbin URL kopieren

Loading...

GossiTheDog OP , vor 11 Tagen

Still essentially zero detection for GrimResource. PoC that spawns calc: https://gist.github.com/joe-desimone/2b0bbee382c9bdfcac53f2349a379fa4

#threatintel

Antworten

Melden

Aktivität

Ursprüngliche URL öffnen

Original-URL kopieren

Mbin URL kopieren

Loading...

SwiftOnSecurity , vor 11 Tagen

@GossiTheDog is this using an embedded iframe in MMC that has all the security turned off? I’ve always wondered about that scenario but never did anything. Will look more soon thx.

Antworten

Melden

Aktivität

Ursprüngliche URL öffnen

Original-URL kopieren

Mbin URL kopieren

Loading...

GossiTheDog OP , vor 11 Tagen

@SwiftOnSecurity essentially. I was looking at VirusTotal just now, apparently .msc misuse has been supercharged for a while now, e.g. I can see red teams using WebDAV paths in icon parameters to get SMB hashes

Antworten

Melden

Aktivität

Ursprüngliche URL öffnen

Original-URL kopieren

Mbin URL kopieren

Loading...

+ SwiftOnSecurity

SwiftOnSecurity , vor 10 Tagen

@GossiTheDog I mean webview*

Antworten

Melden

Aktivität

Ursprüngliche URL öffnen

Original-URL kopieren

Mbin URL kopieren

Loading...