MSDT Execution Via Answer File
Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab).
Sigma rule (View on GitHub)
1title: MSDT Execution Via Answer File
2id: 9c8c7000-3065-44a8-a555-79bcba5d9955
3status: test
4description: |
5 Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab).
6references:
7 - https://lolbas-project.github.io/lolbas/Binaries/Msdt/
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2022-06-13
10modified: 2025-10-29
11tags:
12 - attack.stealth
13 - attack.t1218
14 - attack.execution
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 Image|endswith: '\msdt.exe'
21 CommandLine|contains: '\WINDOWS\diagnostics\index\PCWDiagnostic.xml'
22 CommandLine|contains|windash: ' -af '
23 filter_main_pcwrun:
24 ParentImage|endswith: '\pcwrun.exe'
25 condition: selection and not 1 of filter_main_*
26falsepositives:
27 - Possible undocumented parents of "msdt" other than "pcwrun".
28level: high
References
Related rules
- Arbitrary File Download Via IMEWDBLD.EXE
- Arbitrary File Download Via MSEDGE_PROXY.EXE
- Arbitrary File Download Via MSOHTMED.EXE
- Arbitrary File Download Via MSPUB.EXE
- Arbitrary File Download Via PresentationHost.EXE