ms-msdt for RCE CVE-2022-30190
Detecting the execution of weaponized maldoc or embedded link in outlook that uses ms-msdt scheme to execute code.
Sigma rule (View on GitHub)
1title: ms-msdt for RCE CVE-2022-30190
2id: 5eff5816-a518-4ab8-b7e0-a776344e7d36
3description: Detecting the execution of weaponized maldoc or embedded link in outlook that uses ms-msdt scheme to execute code.
4status: experimental
5references:
6 - https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
7 - https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190
8 - https://twitter.com/nao_sec/status/1530196847679401984
9 - https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
10 - https://twitter.com/secforce_ltd/status/1531987722293886978?s=21&t=f6-tesTzFEhR7TSoyTtp8Q
11author: '@Kostastsale'
12date: 2022/05/29
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection1:
18 Image|endswith:
19 - '\msdt.exe'
20 CommandLine|contains|all:
21 - 'msdt'
22 - '/id'
23 selection2:
24 CommandLine|contains|all:
25 - 'IT_BrowseForFile'
26 - 'IT_LaunchMethod'
27 selection3:
28 CommandLine|contains|all:
29 - '/af'
30 - '.xml'
31 condition: selection1 and (selection2 or selection3)
32falsepositives:
33 - Uknown
34level: high
35tags:
36 - attack.execution
37 - attack.T1059.003
38 - attack.T1204.002```
References
-
Two days ago, Nao_sec identified an odd looking Word document in the wild, uploaded from an IP address in Belarus:
Read More
Related rules
- ms-msdt for RCE - sdiagnhost.exe spawning command
- Abuse of the Windows Server Update Services (WSUS) for lateral movement.
- ChromeLoader Malware Detection
- Detecting Ammy Admin RMM Agent Execution
- Detection of CMD Execution via AnyViewer RMM