Sdiagnhost Calling Suspicious Child Process

 1title: Sdiagnhost Calling Suspicious Child Process
 2id: f3d39c45-de1a-4486-a687-ab126124f744
 3status: test
 4description: Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)
 5references:
 6    - https://twitter.com/nao_sec/status/1530196847679401984
 7    - https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
 8    - https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/
 9    - https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/
10    - https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/
11author: Nextron Systems, @Kostastsale
12date: 2022-06-01
13modified: 2024-08-23
14tags:
15    - attack.defense-evasion
16    - attack.t1036
17    - attack.t1218
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection:
23        ParentImage|endswith: '\sdiagnhost.exe'
24        Image|endswith:
25            # Add more suspicious LOLBins
26            - '\powershell.exe'
27            - '\pwsh.exe'
28            - '\cmd.exe'
29            - '\mshta.exe'
30            - '\cscript.exe'
31            - '\wscript.exe'
32            - '\taskkill.exe'
33            - '\regsvr32.exe'
34            - '\rundll32.exe'
35            # - '\csc.exe'   # https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/
36            - '\calc.exe'  # https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/
37    filter_main_cmd_bits:
38        Image|endswith: '\cmd.exe'
39        CommandLine|contains: 'bits'
40    filter_main_powershell_noprofile:
41        Image|endswith: '\powershell.exe'
42        CommandLine|endswith:
43            - '-noprofile -'
44            - '-noprofile'
45    condition: selection and not 1 of filter_main_*
46falsepositives:
47    - Unknown
48level: high

References

• x.com

  
  Read More

• https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e

  
  Read More

• Analysis 05-2022-0438.doc (MD5: 52945AF1DEF85B171870B31FA4782E52) Malicious activity - Interactive analysis ANY.RUN

  

  Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

  
  Read More

• Analysis clickme.docx (MD5: 6E43A02B6AB2B6EFAA7921D22A5A17D1) Malicious activity - Interactive analysis ANY.RUN

  

  Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

  
  Read More

• Analysis follina1.docx (MD5: 046AE2440E0808BC2EEC9B72DA015981) Malicious activity - Interactive analysis ANY.RUN

  

  Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

  
  Read More

Related rules

• Renamed ZOHO Dctask64 Execution
• Suspicious MSDT Parent Process
• COM Object Execution via Xwizard.EXE
• New Capture Session Launched Via DXCap.EXE
• Potential DLL Sideloading Using Coregen.exe