Suspicious MSDT Parent Process

 1title: Suspicious MSDT Parent Process
 2id: 7a74da6b-ea76-47db-92cc-874ad90df734
 3status: test
 4description: Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation
 5references:
 6    - https://twitter.com/nao_sec/status/1530196847679401984
 7    - https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/
 8author: Nextron Systems
 9date: 2022/06/01
10modified: 2023/02/06
11tags:
12    - attack.defense_evasion
13    - attack.t1036
14    - attack.t1218
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_parent:
20        ParentImage|endswith:
21            - '\cmd.exe'
22            - '\cscript.exe'
23            - '\mshta.exe'
24            - '\powershell.exe'
25            - '\pwsh.exe'
26            - '\regsvr32.exe'
27            - '\rundll32.exe'
28            - '\schtasks.exe'
29            - '\wmic.exe'
30            - '\wscript.exe'
31            - '\wsl.exe'
32            # Note: office applications are covered by: 438025f9-5856-4663-83f7-52f878a70a50
33    selection_msdt:
34        - Image|endswith: '\msdt.exe'
35        - OriginalFileName: 'msdt.exe'
36    condition: all of selection_*
37falsepositives:
38    - Unknown
39level: high

References

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• Analysis 05-2022-0438.doc (MD5: 52945AF1DEF85B171870B31FA4782E52) Malicious activity - Interactive analysis ANY.RUN

  

  Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

  
  Read More

Related rules

• Sdiagnhost Calling Suspicious Child Process
• Renamed ZOHO Dctask64 Execution
• Arbitrary File Download Via MSPUB.EXE
• PUA - Potential PE Metadata Tamper Using Rcedit
• Potential NTLM Coercion Via Certutil.EXE