Suspicious Microsoft Diagnostics Wizard Execution

  1[metadata]
  2creation_date = "2022/05/31"
  3integration = ["endpoint", "windows", "m365_defender"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies potential abuse of the Microsoft Diagnostics Troubleshooting Wizard (MSDT) to proxy malicious command or
 13binary execution via malicious process arguments.
 14"""
 15from = "now-9m"
 16index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "Suspicious Microsoft Diagnostics Wizard Execution"
 20references = [
 21    "https://twitter.com/nao_sec/status/1530196847679401984",
 22    "https://lolbas-project.github.io/lolbas/Binaries/Msdt/",
 23]
 24risk_score = 73
 25rule_id = "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a"
 26severity = "high"
 27tags = [
 28    "Domain: Endpoint",
 29    "OS: Windows",
 30    "Use Case: Threat Detection",
 31    "Tactic: Defense Evasion",
 32    "Data Source: Elastic Endgame",
 33    "Data Source: Elastic Defend",
 34    "Data Source: Microsoft Defender for Endpoint",
 35    "Data Source: Sysmon",
 36    "Resources: Investigation Guide",
 37]
 38timestamp_override = "event.ingested"
 39type = "eql"
 40
 41query = '''
 42process where host.os.type == "windows" and event.type == "start" and
 43   (process.pe.original_file_name == "msdt.exe" or process.name : "msdt.exe") and
 44   (
 45    process.args : ("IT_RebrowseForFile=*", "ms-msdt:/id", "ms-msdt:-id", "*FromBase64*") or
 46
 47    (process.args : "-af" and process.args : "/skip" and
 48     process.parent.name : ("explorer.exe", "cmd.exe", "powershell.exe", "cscript.exe", "wscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe") and
 49     process.args : ("?:\\WINDOWS\\diagnostics\\index\\PCWDiagnostic.xml", "PCWDiagnostic.xml", "?:\\Users\\Public\\*", "?:\\Windows\\Temp\\*")) or
 50
 51    (process.pe.original_file_name == "msdt.exe" and not process.name : "msdt.exe" and process.name != null) or
 52
 53    (process.pe.original_file_name == "msdt.exe" and not process.executable : ("?:\\Windows\\system32\\msdt.exe", "?:\\Windows\\SysWOW64\\msdt.exe"))
 54    )
 55'''
 56note = """## Triage and analysis
 57
 58> **Disclaimer**:
 59> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 60
 61### Investigating Suspicious Microsoft Diagnostics Wizard Execution
 62
 63The Microsoft Diagnostics Troubleshooting Wizard (MSDT) is a legitimate tool used for diagnosing and resolving issues within Windows environments. However, adversaries can exploit MSDT to execute malicious commands by manipulating its process arguments, effectively using it as a proxy for harmful activities. The detection rule identifies such abuse by monitoring for unusual execution patterns, such as atypical file paths, unexpected parent processes, and non-standard executable locations, which are indicative of potential misuse. This proactive detection helps in mitigating risks associated with defense evasion tactics.
 64
 65### Possible investigation steps
 66
 67- Review the process arguments to identify any suspicious patterns, such as "IT_RebrowseForFile=*", "ms-msdt:/id", "ms-msdt:-id", or "*FromBase64*", which may indicate malicious intent.
 68- Examine the parent process of msdt.exe to determine if it was launched by an unexpected or potentially malicious process like cmd.exe, powershell.exe, or mshta.exe.
 69- Check the file path of the msdt.exe executable to ensure it matches the standard locations (?:\\Windows\\system32\\msdt.exe or ?:\\Windows\\SysWOW64\\msdt.exe) and investigate any deviations.
 70- Investigate the user account associated with the process execution to determine if the activity aligns with their typical behavior or if it appears suspicious.
 71- Correlate the event with other security alerts or logs from data sources like Microsoft Defender for Endpoint or Sysmon to identify any related malicious activities or patterns.
 72- Assess the risk score and severity of the alert to prioritize the investigation and determine if immediate action is required to mitigate potential threats.
 73
 74### False positive analysis
 75
 76- Legitimate troubleshooting activities by IT staff using MSDT may trigger alerts. To manage this, create exceptions for known IT user accounts or specific machines frequently used for diagnostics.
 77- Automated scripts or software updates that utilize MSDT for legitimate purposes can cause false positives. Identify these scripts and whitelist their execution paths or parent processes.
 78- Custom diagnostic tools that leverage MSDT might be flagged. Review these tools and exclude their specific process arguments or executable paths if they are verified as safe.
 79- Non-standard installations of MSDT in custom environments could be misidentified. Ensure that any legitimate non-standard paths are documented and excluded from monitoring.
 80- Frequent use of MSDT in virtualized environments for testing purposes may lead to alerts. Consider excluding these environments or specific virtual machines from the rule.
 81
 82### Response and remediation
 83
 84- Isolate the affected system from the network to prevent further malicious activity and lateral movement.
 85- Terminate the suspicious msdt.exe process to stop any ongoing malicious execution.
 86- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or processes.
 87- Review and analyze the process arguments and parent processes associated with the msdt.exe execution to identify potential entry points or related malicious activities.
 88- Restore any affected files or system components from a known good backup to ensure system integrity.
 89- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised.
 90- Implement enhanced monitoring and logging for msdt.exe and related processes to detect and respond to similar threats in the future."""
 91
 92
 93[[rule.threat]]
 94framework = "MITRE ATT&CK"
 95[[rule.threat.technique]]
 96id = "T1218"
 97name = "System Binary Proxy Execution"
 98reference = "https://attack.mitre.org/techniques/T1218/"
 99
100
101[rule.threat.tactic]
102id = "TA0005"
103name = "Defense Evasion"
104reference = "https://attack.mitre.org/tactics/TA0005/"