GrimResource is a Windows code-execution technique that abuses a stored XSS vulnerability in apds.dll to achieve arbitrary code execution inside mmc.exe, a signed and trusted Windows binary. The attack is delivered via a malicious MMC Saved Console file (.msc). When opened, MMC processes an embedded transformNode operation that triggers the XSS in apds.dll, enabling attacker-controlled script execution within the MMC process context. Detection centers on Windows Event Log 4663 (object access) indicating mmc.exe accessing apds.dll, and is intended to be implemented using endpoint telemetry (process GUID, process name, parent process, and full command lines) mapped to the Endpoint data model and CIM-normalized fields. Note that legitimate administrative activities may occasionally resemble this pattern (MMC interactions with apds.dll), so false positives can occur and should be checked against approved admin workflows.