Execute MSDT Via Answer File
Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab)
Sigma rule (View on GitHub)
1title: Execute MSDT Via Answer File
2id: 9c8c7000-3065-44a8-a555-79bcba5d9955
3status: test
4description: Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab)
5references:
6 - https://lolbas-project.github.io/lolbas/Binaries/Msdt/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022/06/13
9tags:
10 - attack.defense_evasion
11 - attack.t1218
12 - attack.execution
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_cli:
18 Image|endswith: '\msdt.exe'
19 CommandLine|contains: '\WINDOWS\diagnostics\index\PCWDiagnostic.xml'
20 selection_answer:
21 CommandLine|contains:
22 - ' -af '
23 - ' /af '
24 filter:
25 ParentImage|endswith: '\pcwrun.exe'
26 condition: all of selection* and not filter
27falsepositives:
28 - Possible undocumented parents of "msdt" other than "pcwrun"
29level: high
References
Related rules
- Created Files by Microsoft Sync Center
- Execute Pcwrun.EXE To Leverage Follina
- Potential Binary Impersonating Sysinternals Tools
- Use Of The SFTP.EXE Binary As A LOLBIN
- Use of Scriptrunner.exe