File Creation In Suspicious Directory By Msdt.EXE
Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities
Sigma rule (View on GitHub)
1title: File Creation In Suspicious Directory By Msdt.EXE
2id: 318557a5-150c-4c8d-b70e-a9910e199857
3status: test
4description: Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities
5references:
6 - https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd
7 - https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
8author: Vadim Varganov, Florian Roth (Nextron Systems)
9date: 2022-08-24
10modified: 2023-02-23
11tags:
12 - attack.persistence
13 - attack.t1547.001
14 - cve.2022-30190
15logsource:
16 category: file_event
17 product: windows
18detection:
19 selection:
20 Image|endswith: '\msdt.exe'
21 TargetFilename|contains:
22 - '\Desktop\'
23 - '\Start Menu\Programs\Startup\'
24 - 'C:\PerfLogs\'
25 - 'C:\ProgramData\'
26 - 'C:\Users\Public\'
27 condition: selection
28falsepositives:
29 - Unknown
30level: high
References
Related rules
- Classes Autorun Keys Modification
- Common Autorun Keys Modification
- CurrentControlSet Autorun Keys Modification
- CurrentVersion Autorun Keys Modification
- CurrentVersion NT Autorun Keys Modification