Renamed Msdt.EXE Execution
Detects the execution of a renamed "Msdt.exe" binary
Sigma rule (View on GitHub)
1title: Renamed Msdt.EXE Execution
2id: bd1c6866-65fc-44b2-be51-5588fcff82b9
3status: test
4description: Detects the execution of a renamed "Msdt.exe" binary
5references:
6 - https://lolbas-project.github.io/lolbas/Binaries/Msdt/
7author: pH-T (Nextron Systems)
8date: 2022-06-03
9modified: 2023-02-03
10tags:
11 - attack.defense-evasion
12 - attack.t1036.003
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 OriginalFileName: 'msdt.exe'
19 filter:
20 Image|endswith: '\msdt.exe'
21 condition: selection and not filter
22falsepositives:
23 - Unlikely
24level: high
25regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_renamed_msdt/info.yml
References
-
Msdt.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More
Related rules
- Potential Defense Evasion Via Binary Rename
- Potential Defense Evasion Via Rename Of Highly Relevant Binaries
- File Download Via Bitsadmin
- File Download Via Bitsadmin To An Uncommon Target Folder
- Suspicious Download From Direct IP Via Bitsadmin