Suspicious Cabinet File Execution Via Msdt.EXE

calendar Mar 15, 2024 · attack.defense_evasion attack.t1202  ·
Share on: linkedin copy

Detects execution of msdt.exe using the "cab" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190

Sigma rule (View on GitHub)

 1title: Suspicious Cabinet File Execution Via Msdt.EXE
 2id: dc4576d4-7467-424f-9eee-fd2b02855fe0
 3related:
 4    - id: 6545ce61-a1bd-4119-b9be-fcbee42c0cf3
 5      type: obsoletes
 6status: test
 7description: Detects execution of msdt.exe using the "cab" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190
 8references:
 9    - https://twitter.com/nas_bench/status/1537896324837781506
10    - https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab
11    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0
12    - https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd
13author: Nasreddine Bencherchali (Nextron Systems), GossiTheDog, frack113
14date: 2022/06/21
15modified: 2024/03/13
16tags:
17    - attack.defense_evasion
18    - attack.t1202
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection_img:
24        - Image|endswith: '\msdt.exe'
25        - OriginalFileName: 'msdt.exe'
26    selection_cmd:
27        CommandLine|contains|windash: ' -cab '
28    condition: all of selection_*
29falsepositives:
30    - Legitimate usage of ".diagcab" files
31level: medium

References

Related rules

to-top