Troubleshooting Pack Cmdlet Execution

Oct 17, 2023 · attack.defense_evasion attack.t1202 ·

Detects execution of "TroubleshootingPack" cmdlets to leverage CVE-2022-30190 or action similar to "msdt" lolbin (as described in LOLBAS)

Sigma rule (View on GitHub)

 1title: Troubleshooting Pack Cmdlet Execution
 2id: 03409c93-a7c7-49ba-9a4c-a00badf2a153
 3status: test
 4description: Detects execution of "TroubleshootingPack" cmdlets to leverage CVE-2022-30190 or action similar to "msdt" lolbin (as described in LOLBAS)
 5references:
 6    - https://twitter.com/nas_bench/status/1537919885031772161
 7    - https://lolbas-project.github.io/lolbas/Binaries/Msdt/
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2022/06/21
10tags:
11    - attack.defense_evasion
12    - attack.t1202
13logsource:
14    product: windows
15    category: ps_script
16    definition: 'Requirements: Script Block Logging must be enabled'
17detection:
18    selection:
19        ScriptBlockText|contains|all:
20            - 'Invoke-TroubleshootingPack'
21            - 'C:\Windows\Diagnostics\System\PCW'
22            - '-AnswerFile'
23            - '-Unattended'
24    condition: selection
25falsepositives:
26    - Legitimate usage of "TroubleshootingPack" cmdlet for troubleshooting purposes
27level: medium

References

Something went wrong, but don’t fret — let’s give it another shot.

Read More
Msdt | LOLBAS

Application: GUI This LOLBAS will cause a graphical user interface (GUI) to be displayed.

Read More

Troubleshooting Pack Cmdlet Execution

Sigma rule (View on GitHub)

References

Msdt | LOLBAS

Related rules