Troubleshooting Pack Cmdlet Execution
Detects execution of "TroubleshootingPack" cmdlets to leverage CVE-2022-30190 or action similar to "msdt" lolbin (as described in LOLBAS)
Sigma rule (View on GitHub)
1title: Troubleshooting Pack Cmdlet Execution
2id: 03409c93-a7c7-49ba-9a4c-a00badf2a153
3status: test
4description: Detects execution of "TroubleshootingPack" cmdlets to leverage CVE-2022-30190 or action similar to "msdt" lolbin (as described in LOLBAS)
5references:
6 - https://twitter.com/nas_bench/status/1537919885031772161
7 - https://lolbas-project.github.io/lolbas/Binaries/Msdt/
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2022-06-21
10tags:
11 - attack.defense-evasion
12 - attack.t1202
13logsource:
14 product: windows
15 category: ps_script
16 definition: 'Requirements: Script Block Logging must be enabled'
17detection:
18 selection:
19 ScriptBlockText|contains|all:
20 - 'Invoke-TroubleshootingPack'
21 - 'C:\Windows\Diagnostics\System\PCW'
22 - '-AnswerFile'
23 - '-Unattended'
24 condition: selection
25falsepositives:
26 - Legitimate usage of "TroubleshootingPack" cmdlet for troubleshooting purposes
27level: medium
References
-
Msdt.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More
Related rules
- Custom File Open Handler Executes PowerShell
- Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE
- Findstr Launching .lnk File
- Indirect Command Execution From Script File Via Bash.EXE
- Indirect Inline Command Execution Via Bash.EXE