Potential Arbitrary Command Execution Using Msdt.EXE

Detects processes leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability

Sigma rule (View on GitHub)

 1title: Potential Arbitrary Command Execution Using Msdt.EXE
 2id: 258fc8ce-8352-443a-9120-8a11e4857fa5
 3status: test
 4description: Detects processes leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability
 5references:
 6    - https://twitter.com/nao_sec/status/1530196847679401984
 7    - https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/
 8    - https://twitter.com/_JohnHammond/status/1531672601067675648
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022/05/29
11modified: 2023/02/08
12tags:
13    - attack.defense_evasion
14    - attack.t1202
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_img:
20        - Image|endswith: '\msdt.exe'
21        - OriginalFileName: 'msdt.exe'
22    selection_cmd_inline:
23        CommandLine|contains: 'IT_BrowseForFile='
24    selection_cmd_answerfile_flag:
25        CommandLine|contains: ' PCWDiagnostic'
26    selection_cmd_answerfile_param:
27        CommandLine|contains:
28            - ' /af '
29            - ' -af '
30    condition: selection_img and (selection_cmd_inline or all of selection_cmd_answerfile_*)
31falsepositives:
32    - Unknown
33level: high

References

Related rules

to-top