Sdiagnhost Calling Suspicious Child Process
Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)
Sigma rule (View on GitHub)
1title: Sdiagnhost Calling Suspicious Child Process
2id: f3d39c45-de1a-4486-a687-ab126124f744
3status: test
4description: Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)
5references:
6 - https://twitter.com/nao_sec/status/1530196847679401984
7 - https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/
8 - https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/
9 - https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/
10author: Nextron Systems
11date: 2022/06/01
12modified: 2022/10/31
13tags:
14 - attack.defense_evasion
15 - attack.t1036
16 - attack.t1218
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection:
22 ParentImage|endswith: '\sdiagnhost.exe'
23 Image|endswith:
24 # Add more suspicious LOLBins
25 - '\powershell.exe'
26 - '\pwsh.exe'
27 - '\cmd.exe'
28 - '\mshta.exe'
29 - '\cscript.exe'
30 - '\wscript.exe'
31 - '\taskkill.exe'
32 - '\regsvr32.exe'
33 - '\rundll32.exe'
34 # - '\csc.exe' # https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/
35 - '\calc.exe' # https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/
36 condition: selection
37falsepositives:
38 - Unknown
39level: high
References
Related rules
- CreateDump Process Dump
- Created Files by Microsoft Sync Center
- DeviceCredentialDeployment Execution
- Execute MSDT Via Answer File
- Execute Pcwrun.EXE To Leverage Follina