ms-msdt for RCE CVE-2022-30190
Detecting the execution of weaponized maldoc or embedded link in outlook that uses ms-msdt scheme to execute code.
Sigma rule (View on GitHub)
1title: ms-msdt for RCE CVE-2022-30190
2description: Detecting the execution of weaponized maldoc or embedded link in outlook that uses ms-msdt scheme to execute code.
3status: experimental
4references:
5 - https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
6 - https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190
7 - https://twitter.com/nao_sec/status/1530196847679401984
8 - https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
9 - https://twitter.com/secforce_ltd/status/1531987722293886978?s=21&t=f6-tesTzFEhR7TSoyTtp8Q
10author: '@Kostastsale'
11date: 2022/05/29
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection1:
17 Image|endswith:
18 - '\msdt.exe'
19 CommandLine|contains|all:
20 - 'msdt'
21 - '/id'
22 selection2:
23 CommandLine|contains|all:
24 - 'IT_BrowseForFile'
25 - 'IT_LaunchMethod'
26 selection3:
27 CommandLine|contains|all:
28 - '/af'
29 - '.xml'
30 condition: selection1 and (selection2 or selection3)
31falsepositives:
32 - Uknown
33level: high
34tags:
35 - attack.execution
36 - attack.T1059.003
37 - attack.T1204.002```
References
Related rules
- ms-msdt for RCE - sdiagnhost.exe spawning command
- Using powershell specific download cradle OneLiner
- Raspberry Robin initial execution from external drive
- Raspberry Robin subsequent execution of commands
- ChromeLoader Malware Detection