Grimresource transformNode Obfuscation

Hello.

I’d like to share a rule with the community and welcome feedback. I intend it to detect the transformNode Obfuscation used in the Grimresource sample analyzed by Elastic Security Labs GrimResource - Microsoft Management Console for initial access and evasion — Elastic Security Labs. The pcre is meant to detect the use of an unobfuscated WScript.Shell, as well as single and double url-encoded use.

transformNode-obfs-GET.pcap (85.5 KB)

alert http $EXTERNAL_NET any → $HOME_NET any
(msg:“Grimresource transformNode Obfuscation Technique”;
flow:established,to_client;
file_data;
content:“{71E5B33E-1064-11D2-808F-0000F875A9CE}”;
content:“loadXML(unescape”; distance:0;
content:“CreateObject”; distance:0;
pcre:“/%?(25|22|)+WScript%?(25|2e|)+Shell/Ri”;
content:“transformNode”; distance:0;
reference:url,GrimResource - Microsoft Management Console for initial access and evasion — Elastic Security Labs;
classtype:string-detect; metadata: attack_target Client_Endpoint, deployment Perimeter, created_at 2024_10_08; sid:99765; rev:1;)

Hi @rampage! Thanks for the sig submission. I’ll review this and provide feedback once I’m done.

Thanks for the wait!

Before reviewing the blog, I reviewed the intent of the submitted signature. The provided rule would detect on HTTP Response content if…

• “{71E5B33E-1064-11D2-808F-0000F875A9CE}” is strictly present
• “loadXML(unescape” follows after the previous match
• “CreateObject” follows after the previous match
• a case-insensitive PCRE after the previous match is satisfied. The PCRE attempts to match on WScript and Shell.
• “transformNode” follows after the previous match

Notes on Content Used:
This rule would fire on a very specific sample that contains the GUID. We can loosen this rule by removing the GUID, however does the remaining content reflect GrimResource? No, the remaining content would be too generic.

The rule also does not specify a fast_pattern, or a unique content, that could improve the rules performance. Ideally, rules should have this.

Other Notes:
Outside of the present content, I believe your rule correctly identifies the protocol, source and destination of the activity, the correct Suricata keyword, and the supplies adequate rule details needed for this rule.

Let’s build on your rule with the blog contents.

The blog mentioned that …

The key to the GrimResource technique is using an old XSS flaw present in the apds.dll library. By adding a reference to the vulnerable APDS resource in the appropriate StringTable section of a crafted MSC file, attackers can execute arbitrary javascript in the context of mmc.exe

I reviewed the linked article, From http:// domain to res:// domain xss by using IE Adobe’s PDF ActiveX plugin | by Knownsec 404 team | Medium, and noted that XSS flaw generally appears as

res://apds.dll/redirect.html?target=javascript

The blog provides examples of how this XSS flaw is implemented within .

Also, the blog provides a YARA rule used to detect this activity in files:

rule Windows_GrimResource_MMC {
    meta:
        author = "Elastic Security"
        reference = "https://www.elastic.co/security-labs/GrimResource"
        reference_sample = "14bcb7196143fd2b800385e9b32cfacd837007b0face71a73b546b53310258bb"
        arch_context = "x86"
        scan_context = "file, memory"
        license = "Elastic License v2"
        os = "windows"
    strings:
        $xml = "<?xml"
        $a = "MMC_ConsoleFile" 
        $b1 = "apds.dll" 
        $b2 = "res://"
        $b3 = "javascript:eval("
        $b4 = ".loadXML("
    condition:
       $xml at 0 and $a and 2 of ($b*)
}

With this blog information, we could construct a rule that would target similar network activity, such as…

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT GrimResource / Microsoft Management Console (MMC) RCE Vulnerability (CVE-2024-43572)"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<MMC_ConsoleFile>"; content:"<StringTables>"; distance:0; content:"res://apds.dll/"; distance:0; fast_pattern; content:"=javascript:"; distance:0; content:"</StringTables>"; distance:0; content:"</MMC_ConsoleFile>"; distance:0; reference:url,elastic.co/security-labs/grimresource; reference:url,thehackernews.com/2024/06/new-attack-technique-exploits-microsoft.html; reference:url,nvd.nist.gov/vuln/detail/CVE-2024-43572; reference:cve,2024-43572; classtype:exploit-kit; sid:10000001; rev:1;)

Also, we can create a looser rule to detect on the generic apds.dll vulnerability

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Likely apds.dll XSS Attempt"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"res://apds.dll/"; fast_pattern; content:"=javascript:"; distance:0; reference:url,medium.com/@knownsec404team/from-http-domain-to-res-domain-xss-by-using-ie-adobes-pdf-activex-plugin-ba4f082c8199; classtype:bad-unknown; sid:2; rev:1; metadata: attack_target Client_Endpoint, deployment Perimeter;)

The rules above should be available in tomorrow’s release and I’ll make sure to add you to our Thank You list as well!

Cheers,

Pending notes on detecting the transformNode obfuscation technique next. Apologies! Got lost in detecting the initial MMC activity.

===
I reviewed the submitted rule again against the context of detecting the transformNode Obfuscation technique.

In the blog and provide PCAP, the technique appears before the apds.dll XSS, like

alert("GRIMRESOURCE");
xsl.loadXML(unescape("%3C%3Fxml%20version%3D%271%2E0%27%3F%3E%0D%0A%3Cstylesheet%0D%0A%20%20%20%20xmlns%3D%22http%3A%2F%2Fwww%2Ew3%2Eorg%2F1999%2FXSL%2FTransform%22%20xmlns%3Ams%3D%22urn%3Aschemas%2Dmicrosoft%2Dcom%3Axslt%22%0D%0A%20%20%20%20xmlns%3Auser%3D%22placeholder%22%0D%0A%20%20%20%20version%3D%221%2E0%22%3E%0D%0A%20%20%20%20%3Coutput%20method%3D%22text%22%2F%3E%0D%0A%20%20%20%20%3Cms%3Ascript%20implements%2Dprefix%3D%22user%22%20language%3D%22VBScript%22%3E%0D%0A%09%3C%21%5BCDATA%5B%0D%0ASet%20wshshell%20%3D%20CreateObject%28%22WScript%2EShell%22%29%0D%0AWshshell%2Erun%20%22Calc%22%0D%0A%5D%5D%3E%3C%2Fms%3Ascript%3E%0D%0A%3C%2Fstylesheet%3E"))
XML.transformNode(xsl)

where the escape code translates to

<?xml version='1.0'?>
<stylesheet
    xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
    xmlns:user="placeholder"
    version="1.0">
    <output method="text"/>
    <ms:script implements-prefix="user" language="VBScript">
	<![CDATA[
Set wshshell = CreateObject("WScript.Shell")
Wshshell.run "Calc"
]]></ms:script>
</stylesheet>

===
Notes on Content Used:

Let’s assume we omit the GUID and the PCRE. The rule has the following content…
content:“loadXML(unescape”; distance:0;
content:“CreateObject”; distance:0;
content:“transformNode”; distance:0;

I do believe the content here is a bit generic, but this doesn’t stop us from creating a HUNTING rule for Suspected transformNode Obfuscation activity.

It is true that we can continue to target the WScript%2EShell and Wshshell%2Erun contents, but this would limit the hunting rule as the unescaped content may vary.

The following rule will also appear in tomorrow’s release.
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspected transformNode Obfuscation in XML document DOM"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"loadXML(unescape("; fast_pattern; content:"CreateObject"; distance:0; content:"transformNode("; distance:0; reference:url,elastic.co/security-labs/grimresource; reference:url,learn.microsoft.com/en-us/previous-versions/windows/desktop/ms761399(v=vs.85); reference:url,github.com/decalage2/oletools/issues/851; classtype:bad-unknown; sid:3; rev:1;)

Thank you, so much. I could not have hoped for a more generous and thorough response.

I have a dear friend that is going to be absolutely thrilled that I spoke with a today!

Until next time.
R

It’s always a pleasure at ET to work with those submitting signatures! We love the open source community .

Today, My colleagues mentioned that GrimResource was reveiewed this earlier week and signatures, similar to sid:1 and sid:2, above were already published. Those signatures are available as…
2858660 - ETPRO HUNTING Microsoft Management Console Link to Web Address Snap-in URI Scheme
2858661 - ETPRO HUNTING Microsoft Management Console ActiveX Control Snap-in Arbitrary Code
2858662 - ETPRO HUNTING Microsoft Management Console Taskpad Command
2858663 - ETPRO HUNTING Microsoft Management Console Control File View Object Reference
2858664 - ETPRO HUNTING Microsoft Management Console Control File Arbitrary Redirect (apds.dll)

To prevent duplicate work, sid:1 and sid:2 will not be added in today’s release.

sid:3 above will continued to be released.

Hope to here from you again, @rampage!