File Creation In Suspicious Directory By Msdt.EXE

 1title: File Creation In Suspicious Directory By Msdt.EXE
 2id: 318557a5-150c-4c8d-b70e-a9910e199857
 3status: test
 4description: Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities
 5references:
 6    - https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd
 7    - https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
 8author: Vadim Varganov, Florian Roth (Nextron Systems)
 9date: 2022-08-24
10modified: 2023-02-23
11tags:
12    - attack.privilege-escalation
13    - attack.persistence
14    - attack.t1547.001
15    - cve.2022-30190
16logsource:
17    category: file_event
18    product: windows
19detection:
20    selection:
21        Image|endswith: '\msdt.exe'
22        TargetFilename|contains:
23            - '\Desktop\'
24            - '\Start Menu\Programs\Startup\'
25            - 'C:\PerfLogs\'
26            - 'C:\ProgramData\'
27            - 'C:\Users\Public\'
28    condition: selection
29falsepositives:
30    - Unknown
31level: high

References

• The trouble with Microsoft’s Troubleshooters

  

  An unpatched vulnerability in Microsoft’s Troubleshooting technology

  
  Read More

• Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability

  Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability / By MSRC / May 30, 2022 UPDATE July 12, 2022: As part of the response by Microsoft, a defense in depth variant has been ...

  
  Read More

Related rules

• Classes Autorun Keys Modification
• Common Autorun Keys Modification
• CurrentControlSet Autorun Keys Modification
• CurrentVersion Autorun Keys Modification
• CurrentVersion NT Autorun Keys Modification