Suspicious Set Value of MSDT in Registry (CVE-2022-30190)
Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.
Sigma rule (View on GitHub)
1title: Suspicious Set Value of MSDT in Registry (CVE-2022-30190)
2id: 2d9403d5-7927-46b7-8216-37ab7c9ec5e3
3status: test
4description: Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.
5references:
6 - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190
7 - https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
8author: Sittikorn S
9date: 2020-05-31
10modified: 2023-08-17
11tags:
12 - attack.defense-evasion
13 - attack.t1221
14 - detection.emerging-threats
15logsource:
16 product: windows
17 category: registry_set
18detection:
19 selection:
20 TargetObject|startswith: 'HKCR\ms-msdt\'
21 condition: selection
22falsepositives:
23 - Unknown
24level: medium
References
Related rules
- Forest Blizzard APT - File Creation Activity
- Forest Blizzard APT - Process Creation Activity
- Kapeka Backdoor Configuration Persistence
- Kapeka Backdoor Execution Via RunDLL32.EXE
- Kapeka Backdoor Loaded Via Rundll32.EXE