Suspicious Set Value of MSDT in Registry (CVE-2022-30190)

Aug 12, 2024 · attack.defense-evasion attack.t1221 ·

Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.

Sigma rule (View on GitHub)

 1title: Suspicious Set Value of MSDT in Registry (CVE-2022-30190)
 2id: 2d9403d5-7927-46b7-8216-37ab7c9ec5e3
 3status: test
 4description: Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.
 5references:
 6    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190
 7    - https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
 8author: Sittikorn S
 9date: 2020-05-31
10modified: 2023-08-17
11tags:
12    - attack.defense-evasion
13    - attack.t1221
14logsource:
15    product: windows
16    category: registry_set
17detection:
18    selection:
19        TargetObject|startswith: 'HKCR\ms-msdt\'
20    condition: selection
21falsepositives:
22    - Unknown
23level: medium

Suspicious Set Value of MSDT in Registry (CVE-2022-30190)

Sigma rule (View on GitHub)

References

Security Update Guide - Microsoft Security Response Center

/blog/2022/05/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/

Related rules