Sdiagnhost Calling Suspicious Child Process

calendar Oct 17, 2023 · attack.defense_evasion attack.t1036 attack.t1218  ·
Share on: linkedin copy

Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)

Sigma rule (View on GitHub)

 1title: Sdiagnhost Calling Suspicious Child Process
 2id: f3d39c45-de1a-4486-a687-ab126124f744
 3status: test
 4description: Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)
 5references:
 6    - https://twitter.com/nao_sec/status/1530196847679401984
 7    - https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/
 8    - https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/
 9    - https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/
10author: Nextron Systems
11date: 2022/06/01
12modified: 2022/10/31
13tags:
14    - attack.defense_evasion
15    - attack.t1036
16    - attack.t1218
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection:
22        ParentImage|endswith: '\sdiagnhost.exe'
23        Image|endswith:
24            # Add more suspicious LOLBins
25            - '\powershell.exe'
26            - '\pwsh.exe'
27            - '\cmd.exe'
28            - '\mshta.exe'
29            - '\cscript.exe'
30            - '\wscript.exe'
31            - '\taskkill.exe'
32            - '\regsvr32.exe'
33            - '\rundll32.exe'
34            # - '\csc.exe'   # https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/
35            - '\calc.exe'  # https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/
36    condition: selection
37falsepositives:
38    - Unknown
39level: high

References

Related rules

to-top