Suspicious Set Value of MSDT in Registry (CVE-2022-30190)
Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.
Sigma rule (View on GitHub)
1title: Suspicious Set Value of MSDT in Registry (CVE-2022-30190)
2id: 2d9403d5-7927-46b7-8216-37ab7c9ec5e3
3status: test
4description: Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.
5references:
6 - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190
7 - https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
8author: Sittikorn S
9date: 2020/05/31
10modified: 2023/08/17
11tags:
12 - attack.defense_evasion
13 - attack.t1221
14logsource:
15 product: windows
16 category: registry_set
17detection:
18 selection:
19 TargetObject|startswith: 'HKCR\ms-msdt\'
20 condition: selection
21falsepositives:
22 - Unknown
23level: medium
References
Related rules
- Server Side Template Injection Strings
- CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry
- Change Winevt Channel Access Permission Via Registry
- Disable Administrative Share Creation at Startup
- Disable Microsoft Defender Firewall via Registry