File Creation In Suspicious Directory By Msdt.EXE

Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities

Sigma rule (View on GitHub)

 1title: File Creation In Suspicious Directory By Msdt.EXE
 2id: 318557a5-150c-4c8d-b70e-a9910e199857
 3status: test
 4description: Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities
 5references:
 6    - https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd
 7    - https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
 8author: Vadim Varganov, Florian Roth (Nextron Systems)
 9date: 2022/08/24
10modified: 2023/02/23
11tags:
12    - attack.persistence
13    - attack.t1547.001
14    - cve.2022.30190
15logsource:
16    category: file_event
17    product: windows
18detection:
19    selection:
20        Image|endswith: '\msdt.exe'
21        TargetFilename|contains:
22            - '\Desktop\'
23            - '\Start Menu\Programs\Startup\'
24            - 'C:\PerfLogs\'
25            - 'C:\ProgramData\'
26            - 'C:\Users\Public\'
27    condition: selection
28falsepositives:
29    - Unknown
30level: high

References

Related rules

to-top