MSDT Execution Via Answer File
Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab).
Sigma rule (View on GitHub)
1title: MSDT Execution Via Answer File
2id: 9c8c7000-3065-44a8-a555-79bcba5d9955
3status: test
4description: |
5 Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab).
6references:
7 - https://lolbas-project.github.io/lolbas/Binaries/Msdt/
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2022-06-13
10modified: 2025-10-29
11tags:
12 - attack.defense-evasion
13 - attack.t1218
14 - attack.execution
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 Image|endswith: '\msdt.exe'
21 CommandLine|contains: '\WINDOWS\diagnostics\index\PCWDiagnostic.xml'
22 CommandLine|contains|windash: ' -af '
23 filter_main_pcwrun:
24 ParentImage|endswith: '\pcwrun.exe'
25 condition: selection and not 1 of filter_main_*
26falsepositives:
27 - Possible undocumented parents of "msdt" other than "pcwrun".
28level: high
References
-
Msdt.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More
Related rules
- Created Files by Microsoft Sync Center
- Microsoft Sync Center Suspicious Network Connections
- Potential Exploitation of RCE Vulnerability CVE-2025-33053
- Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load
- Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Process Access