Suspicious Microsoft Diagnostics Wizard Execution
Identifies potential abuse of the Microsoft Diagnostics Troubleshooting Wizard (MSDT) to proxy malicious command or binary execution via malicious process arguments.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/05/31"
3integration = ["endpoint", "windows"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies potential abuse of the Microsoft Diagnostics Troubleshooting Wizard (MSDT) to proxy malicious command or
13binary execution via malicious process arguments.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Suspicious Microsoft Diagnostics Wizard Execution"
20note = """## Setup
21
22If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
23"""
24references = [
25 "https://twitter.com/nao_sec/status/1530196847679401984",
26 "https://lolbas-project.github.io/lolbas/Binaries/Msdt/",
27]
28risk_score = 73
29rule_id = "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a"
30severity = "high"
31tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
32timestamp_override = "event.ingested"
33type = "eql"
34
35query = '''
36process where host.os.type == "windows" and event.type == "start" and
37 (process.pe.original_file_name == "msdt.exe" or process.name : "msdt.exe") and
38 (
39 process.args : ("IT_RebrowseForFile=*", "ms-msdt:/id", "ms-msdt:-id", "*FromBase64*") or
40
41 (process.args : "-af" and process.args : "/skip" and
42 process.parent.name : ("explorer.exe", "cmd.exe", "powershell.exe", "cscript.exe", "wscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe") and
43 process.args : ("?:\\WINDOWS\\diagnostics\\index\\PCWDiagnostic.xml", "PCWDiagnostic.xml", "?:\\Users\\Public\\*", "?:\\Windows\\Temp\\*")) or
44
45 (process.pe.original_file_name == "msdt.exe" and not process.name : "msdt.exe" and process.name != null) or
46
47 (process.pe.original_file_name == "msdt.exe" and not process.executable : ("?:\\Windows\\system32\\msdt.exe", "?:\\Windows\\SysWOW64\\msdt.exe"))
48 )
49'''
50
51
52[[rule.threat]]
53framework = "MITRE ATT&CK"
54[[rule.threat.technique]]
55id = "T1218"
56name = "System Binary Proxy Execution"
57reference = "https://attack.mitre.org/techniques/T1218/"
58
59
60[rule.threat.tactic]
61id = "TA0005"
62name = "Defense Evasion"
63reference = "https://attack.mitre.org/tactics/TA0005/"
Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define event.ingested and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate event.ingested to @timestamp for this rule to work.
References
-
.. /Msdt.exe Microsoft diagnostics tool Paths: C:\Windows\System32\Msdt.exe C:\Windows\SysWOW64\Msdt.exe Resources: Acknowledgements: Execute Executes the Microsoft Diagnostics Tool and executes th...
Read More
Related rules
- Adding Hidden File Attribute via Attrib
- Attempt to Install Kali Linux via WSL
- Clearing Windows Console History
- Clearing Windows Event Logs
- Code Signing Policy Modification Through Built-in tools