Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE
Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the "sdiageng.dll" library
Sigma rule (View on GitHub)
1title: Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE
2id: ec8c4047-fad9-416a-8c81-0f479353d7f6
3status: test
4description: Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the "sdiageng.dll" library
5references:
6 - https://www.securonix.com/blog/detecting-microsoft-msdt-dogwalk/
7author: Greg (rule)
8date: 2022-06-17
9modified: 2023-02-17
10tags:
11 - attack.defense-evasion
12 - attack.t1202
13 - cve.2022-30190
14logsource:
15 category: image_load
16 product: windows
17detection:
18 selection:
19 Image|endswith: '\msdt.exe'
20 ImageLoaded|endswith: '\sdiageng.dll'
21 condition: selection
22falsepositives:
23 - Unknown
24level: high
References
-
Understand the DogWalk 0-day vulnerability in Microsoft's MSDT, with its attack methodologies and mitigation strategies.
Read More
Related rules
- Custom File Open Handler Executes PowerShell
- Findstr Launching .lnk File
- Indirect Command Execution From Script File Via Bash.EXE
- Indirect Inline Command Execution Via Bash.EXE
- Potential Arbitrary Command Execution Using Msdt.EXE