Execute MSDT Via Answer File
Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab)
Sigma rule (View on GitHub)
1title: Execute MSDT Via Answer File
2id: 9c8c7000-3065-44a8-a555-79bcba5d9955
3status: test
4description: Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab)
5references:
6 - https://lolbas-project.github.io/lolbas/Binaries/Msdt/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-06-13
9tags:
10 - attack.defense-evasion
11 - attack.t1218
12 - attack.execution
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_cli:
18 Image|endswith: '\msdt.exe'
19 CommandLine|contains: '\WINDOWS\diagnostics\index\PCWDiagnostic.xml'
20 selection_answer:
21 CommandLine|contains:
22 - ' -af '
23 - ' /af '
24 filter:
25 ParentImage|endswith: '\pcwrun.exe'
26 condition: all of selection* and not filter
27falsepositives:
28 - Possible undocumented parents of "msdt" other than "pcwrun"
29level: high
References
-
Msdt.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More
Related rules
- Arbitrary File Download Via MSOHTMED.EXE
- Arbitrary File Download Via MSPUB.EXE
- Arbitrary File Download Via PresentationHost.EXE
- Arbitrary MSI Download Via Devinit.EXE
- Created Files by Microsoft Sync Center