Renamed Msdt.EXE Execution

Dec 1, 2023 · attack.defense_evasion attack.t1036.003 ·

Detects the execution of a renamed "Msdt.exe" binary

Sigma rule (View on GitHub)

 1title: Renamed Msdt.EXE Execution
 2id: bd1c6866-65fc-44b2-be51-5588fcff82b9
 3status: test
 4description: Detects the execution of a renamed "Msdt.exe" binary
 5references:
 6    - https://lolbas-project.github.io/lolbas/Binaries/Msdt/
 7author: pH-T (Nextron Systems)
 8date: 2022/06/03
 9modified: 2023/02/03
10tags:
11    - attack.defense_evasion
12    - attack.t1036.003
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        OriginalFileName: 'msdt.exe'
19    filter:
20        Image|endswith: '\msdt.exe'
21    condition: selection and not filter
22falsepositives:
23    - Unlikely
24level: high

References

Msdt | LOLBAS

Application: GUI This LOLBAS will cause a graphical user interface (GUI) to be displayed.

Read More

Related rules

Potential PendingFileRenameOperations Tamper
LOL-Binary Copied From System Directory
Potential Defense Evasion Via Rename Of Highly Relevant Binaries
Suspicious Copy From or To System Directory
Windows Processes Suspicious Parent Directory

Renamed Msdt.EXE Execution

Sigma rule (View on GitHub)

References

Msdt | LOLBAS

Related rules