FalconFriday — Detecting MMC abuse using “GrimResource” with MDE — 0xFF24

This report examines how MMC (.msc) files can be abused—highlighting the GrimResource technique—to load .NET assemblies from memory and deliver/inject payloads for initial access and AppLocker bypass; it provides three MDE detections to identify MMC loading .NET from memory, suspicious .msc launch contexts (downloads, MOTW, ZIP extraction, Downloads folder), and mmc.exe initiating process injection.