Potential Arbitrary Command Execution Using Msdt.EXE
Detects processes leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability
Sigma rule (View on GitHub)
1title: Potential Arbitrary Command Execution Using Msdt.EXE
2id: 258fc8ce-8352-443a-9120-8a11e4857fa5
3status: test
4description: Detects processes leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability
5references:
6 - https://twitter.com/nao_sec/status/1530196847679401984
7 - https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/
8 - https://twitter.com/_JohnHammond/status/1531672601067675648
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022/05/29
11modified: 2024/03/13
12tags:
13 - attack.defense_evasion
14 - attack.t1202
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_img:
20 - Image|endswith: '\msdt.exe'
21 - OriginalFileName: 'msdt.exe'
22 selection_cmd_inline:
23 CommandLine|contains: 'IT_BrowseForFile='
24 selection_cmd_answerfile_flag:
25 CommandLine|contains: ' PCWDiagnostic'
26 selection_cmd_answerfile_param:
27 CommandLine|contains|windash: ' -af '
28 condition: selection_img and (selection_cmd_inline or all of selection_cmd_answerfile_*)
29falsepositives:
30 - Unknown
31level: high
References
-
-
Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.
Read More -
Related rules
- Suspicious Cabinet File Execution Via Msdt.EXE
- Renamed NirCmd.EXE Execution
- Indirect Command Execution From Script File Via Bash.EXE
- Indirect Inline Command Execution Via Bash.EXE
- Use of Setres.exe