Suspicious Microsoft Diagnostics Wizard Execution

  1[metadata]
  2creation_date = "2022/05/31"
  3integration = ["endpoint", "windows", "m365_defender", "crowdstrike", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2026/04/30"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies potential abuse of the Microsoft Diagnostics Troubleshooting Wizard (MSDT) to proxy malicious command or
 11binary execution via malicious process arguments.
 12"""
 13from = "now-9m"
 14index = [
 15    "logs-endpoint.events.process-*",
 16    "winlogbeat-*",
 17    "logs-windows.sysmon_operational-*",
 18    "endgame-*",
 19    "logs-m365_defender.event-*",
 20    "logs-crowdstrike.fdr*",
 21    "logs-sentinel_one_cloud_funnel.*",
 22]
 23language = "eql"
 24license = "Elastic License v2"
 25name = "Suspicious Microsoft Diagnostics Wizard Execution"
 26references = [
 27    "https://twitter.com/nao_sec/status/1530196847679401984",
 28    "https://lolbas-project.github.io/lolbas/Binaries/Msdt/",
 29]
 30risk_score = 73
 31rule_id = "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a"
 32severity = "high"
 33tags = [
 34    "Domain: Endpoint",
 35    "OS: Windows",
 36    "Use Case: Threat Detection",
 37    "Tactic: Defense Evasion",
 38    "Data Source: Elastic Endgame",
 39    "Data Source: Elastic Defend",
 40    "Data Source: Microsoft Defender XDR",
 41    "Data Source: Sysmon",
 42    "Data Source: Crowdstrike",
 43    "Data Source: SentinelOne",
 44    "Resources: Investigation Guide",
 45]
 46timestamp_override = "event.ingested"
 47type = "eql"
 48
 49query = '''
 50process where host.os.type == "windows" and event.type == "start" and
 51  (?process.pe.original_file_name == "msdt.exe" or process.name : "msdt.exe") and
 52  (
 53    process.args : ("IT_RebrowseForFile=*", "*FromBase64*", "*/../../../*", "IT_BrowseForFile=*") or
 54    (
 55      process.args : ("-af", "/af") and process.args : "/skip" and
 56      process.parent.name : ("explorer.exe", "cmd.exe", "powershell.exe", "cscript.exe", "wscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe") and
 57      process.args : ("?:\\WINDOWS\\diagnostics\\index\\PCWDiagnostic.xml", "PCWDiagnostic.xml", "?:\\Users\\Public\\*", "?:\\Windows\\Temp\\*")
 58    ) or
 59
 60    (process.pe.original_file_name == "msdt.exe" and not process.name : "msdt.exe" and process.name != null) or
 61
 62    (
 63      ?process.pe.original_file_name == "msdt.exe" and
 64      not process.executable : (
 65        "?:\\Windows\\system32\\msdt.exe",
 66        "?:\\Windows\\SysWOW64\\msdt.exe",
 67        /* Crowdstrike specific exclusion as it uses NT Object paths */
 68        "\\Device\\HarddiskVolume*\\Windows\\system32\\msdt.exe",
 69        "\\Device\\HarddiskVolume*\\Windows\\SysWOW64\\msdt.exe"
 70      )
 71    )
 72  )
 73'''
 74
 75note = """## Triage and analysis
 76
 77### Investigating Suspicious Microsoft Diagnostics Wizard Execution
 78
 79#### Possible investigation steps
 80
 81- Does the alert show MSDT proxy-execution behavior or a bounded diagnostic launch?
 82  - Why: MSDT abuse depends on PCWDiagnostic answer files, rebrowse or browse-file parameters, traversal, or encoded input, not on "msdt.exe" alone.
 83  - Focus: `process.command_line` and `process.args`, classifying answer-file use, rebrowse or browse-file parameters, encoded input, traversal, and package location.
 84  - Implication: escalate when arguments point to attacker-controlled content, encoded or traversal input, or user-writable answer files; lower concern only when they resolve to a recognized local diagnostic pack with no external, encoded, traversal, or user-writable references.
 85
 86- Do binary identity and launcher lineage fit a legitimate diagnostic launch?
 87  - Focus: `process.executable`, `process.pe.original_file_name`, `process.code_signature.trusted`, `process.parent.executable`, and `process.parent.command_line`.
 88  - Implication: escalate when MSDT is renamed, relocated, unsigned or untrusted, or launched by Office, a browser, script host, "mshta.exe", "rundll32.exe", "regsvr32.exe", or a shell using profile or temp content; lower concern when a trusted Windows MSDT path and signed helpdesk, OEM, or management parent launch the same diagnostic pack.
 89
 90- Did MSDT or a diagnostic-host child launch another binary or script?
 91  - Focus: child process events where `process.parent.entity_id` matches alert `process.entity_id`; record child `process.entity_id`, `process.executable`, `process.command_line`, and `process.code_signature.trusted`. $investigate_0
 92  - Hint: if the first child is a signed diagnostic host, inspect that child's descendants before treating the chain as contained.
 93  - Implication: escalate when MSDT or its diagnostic-host child launches shells, script interpreters, "mshta.exe", "regsvr32.exe", "rundll32.exe", unsigned payloads, or content from user-writable paths; lower concern when the child chain stays inside expected Microsoft or OEM diagnostic components.
 94
 95- Do file events show package staging or later execution?
 96  - Focus: if file telemetry exists, pivot with `host.id` plus alert `process.entity_id`, parent `process.parent.entity_id`, direct-child parent linkage, and exact referenced paths when present; otherwise use `host.id`, `process.pid`, and alert-time window for referenced path, provenance, write timing, and later execution. Missing file telemetry is unresolved, not benign. $investigate_1
 97  - Implication: escalate when the package appears in Public, Temp, profile, share, or newly written staging paths, carries web or archive provenance, or later executes; lower concern only when artifact evidence stays bound to the same recognized diagnostic package.
 98
 99- If remote delivery is suggested, do optional network events show retrieval or external control?
100  - Focus: when network telemetry exists, query with `host.id` plus alert `process.entity_id` or alert-backed `process.parent.entity_id`, separating DNS from connections. Review child-process network activity from recovered child results. Missing network telemetry is unresolved, not benign. $investigate_2
101  - Implication: escalate when the parent, MSDT, or child chain retrieves remote HTML/package content or contacts unrelated infrastructure; lower concern only when available network evidence stays local or vendor-aligned with the same diagnostic package.
102
103- If local evidence is suspicious or unresolved, does related alert history broaden scope?
104  - Focus: compare related alerts for `user.id` and `host.id` over 48 hours for recurring MSDT command patterns, parent launchers, package paths, child payloads, or remote indicators. $investigate_3 $investigate_4
105  - Implication: broaden scope when the same proxy-execution pattern appears across unrelated hosts or users; keep response local only when current process, file, child, and network evidence bind one recognized diagnostic workflow.
106
107- What disposition is supported?
108  - Weigh command-line intent, image identity, parent lineage, package evidence, child or descendant processes, and file or network corroboration; escalate proxy execution or payload delivery, close only when evidence binds one recognized diagnostic workflow, and preserve artifacts when evidence is mixed or incomplete.
109
110### False positive analysis
111
112- Helpdesk, OEM troubleshooting, software deployment, or validation can trigger this rule when a signed support or management parent starts Microsoft-signed MSDT from a standard Windows path, uses the same controlled local diagnostic pack, and produces the same child-process set. Close only when parent path and command line, MSDT path and signature, command line, package path, child behavior, `user.id`, and `host.id` align in the current case; records can corroborate but not replace telemetry.
113- Do not create exceptions on `process.name`, `process.pe.original_file_name`, or Microsoft signature alone.
114
115### Response and remediation
116
117- If confirmed benign:
118  - Reverse temporary containment and document the process, parent, package, and child-process evidence. Build exceptions only from the confirmed parent path plus command-line/package pattern plus `host.id` or `user.id`, not from "msdt.exe" alone.
119- If suspicious but unconfirmed:
120  - Preserve the alert, MSDT `process.entity_id`, `process.pid`, `process.command_line`, `process.args`, parent evidence, package path, child identifiers, suspicious package copies, and remote indicators.
121  - Apply reversible containment for the affected `host.id` and `user.id`, such as temporary network restrictions, heightened monitoring, or child-process blocking. Isolate only for spawned payload behavior or high host criticality.
122- If confirmed malicious:
123  - Isolate the host or escalate after preserving the MSDT and child identifiers, package paths, payload paths, command lines, and remote indicators.
124  - Terminate MSDT, diagnostic-host, and payload processes only after recording identifiers; block malicious child binaries, package paths, domains, and IP indicators.
125  - Remove malicious ".xml", ".msi", ".diagcab", remote package, or payload artifacts, then remediate the parent document, browser, script, or management path.
126- Post-incident hardening:
127  - Restrict MSDT where business use no longer requires it, verify Follina-era mitigations, and retain process, file, and network telemetry for MSDT, parents, and children.
128"""
129
130setup = """## Setup
131
132This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
133
134Setup instructions: https://ela.st/install-elastic-defend
135
136### Additional data sources
137
138This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
139
140- [CrowdStrike](https://ela.st/crowdstrike-integration)
141- [Microsoft Defender XDR](https://ela.st/m365-defender)
142- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
143- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)
144"""
145
146[rule.investigation_fields]
147field_names = [
148    "@timestamp",
149    "host.name",
150    "host.id",
151    "user.name",
152    "user.id",
153    "process.entity_id",
154    "process.pid",
155    "process.executable",
156    "process.command_line",
157    "process.args",
158    "process.pe.original_file_name",
159    "process.code_signature.trusted",
160    "process.parent.entity_id",
161    "process.parent.executable",
162    "process.parent.command_line",
163]
164
165[transform]
166
167[[transform.investigate]]
168label = "Child process events for the same MSDT instance"
169description = ""
170providers = [
171  [
172    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
173    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
174    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
175  ]
176]
177relativeFrom = "now-1h"
178relativeTo = "now"
179
180[[transform.investigate]]
181label = "File events for parent and child processes"
182description = ""
183providers = [
184  [
185    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" },
186    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
187    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
188  ],
189  [
190    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" },
191    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
192    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.parent.entity_id}}", valueType = "string" }
193  ],
194  [
195    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" },
196    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
197    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
198  ]
199]
200relativeFrom = "now-1h"
201relativeTo = "now"
202
203[[transform.investigate]]
204label = "Network and DNS events for MSDT or its parent"
205description = ""
206providers = [
207  [
208    { excluded = false, field = "event.category", queryType = "phrase", value = "network", valueType = "string" },
209    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
210    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
211  ],
212  [
213    { excluded = false, field = "event.category", queryType = "phrase", value = "dns", valueType = "string" },
214    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
215    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
216  ],
217  [
218    { excluded = false, field = "event.category", queryType = "phrase", value = "network", valueType = "string" },
219    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
220    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.parent.entity_id}}", valueType = "string" }
221  ],
222  [
223    { excluded = false, field = "event.category", queryType = "phrase", value = "dns", valueType = "string" },
224    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
225    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.parent.entity_id}}", valueType = "string" }
226  ]
227]
228relativeFrom = "now-1h"
229relativeTo = "now"
230
231[[transform.investigate]]
232label = "Alerts associated with the user"
233description = ""
234providers = [
235  [
236    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
237    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
238  ]
239]
240relativeFrom = "now-48h/h"
241relativeTo = "now"
242
243[[transform.investigate]]
244label = "Alerts associated with the host"
245description = ""
246providers = [
247  [
248    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
249    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
250  ]
251]
252relativeFrom = "now-48h/h"
253relativeTo = "now"
254
255[[rule.threat]]
256framework = "MITRE ATT&CK"
257
258[[rule.threat.technique]]
259id = "T1036"
260name = "Masquerading"
261reference = "https://attack.mitre.org/techniques/T1036/"
262
263[[rule.threat.technique.subtechnique]]
264id = "T1036.003"
265name = "Rename Legitimate Utilities"
266reference = "https://attack.mitre.org/techniques/T1036/003/"
267
268[[rule.threat.technique]]
269id = "T1218"
270name = "System Binary Proxy Execution"
271reference = "https://attack.mitre.org/techniques/T1218/"
272
273[rule.threat.tactic]
274id = "TA0005"
275name = "Defense Evasion"
276reference = "https://attack.mitre.org/tactics/TA0005/"