Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE
Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the "sdiageng.dll" library
Sigma rule (View on GitHub)
1title: Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE
2id: ec8c4047-fad9-416a-8c81-0f479353d7f6
3status: test
4description: Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the "sdiageng.dll" library
5references:
6 - https://www.securonix.com/blog/detecting-microsoft-msdt-dogwalk/
7author: Greg (rule)
8date: 2022/06/17
9modified: 2023/02/17
10tags:
11 - attack.defense_evasion
12 - attack.t1202
13 - cve.2022.30190
14logsource:
15 category: image_load
16 product: windows
17detection:
18 selection:
19 Image|endswith: '\msdt.exe'
20 ImageLoaded|endswith: '\sdiageng.dll'
21 condition: selection
22falsepositives:
23 - Unknown
24level: high
References
-
Securonix Threat Labs Initial Coverage Advisory: Detecting Microsoft MSDT “DogWalk” .diagcab 0-Day Using Securonix Threat Research
Read More
Related rules
- Windows Binary Executed From WSL
- Uncommon Child Process Of Conhost.EXE
- Lolbin Ssh.exe Use As Proxy
- Potentially Suspicious Child Process Of VsCode
- Potentially Suspicious Office Document Executed From Trusted Location