ms-msdt for RCE - sdiagnhost.exe spawning command
Detecting sdiagnhost.exe executing the POC as a result of vulnerability based on ms-msdt.
Sigma rule (View on GitHub)
1title: ms-msdt for RCE - sdiagnhost.exe spawning command
2id: 6469c7a1-8a28-40c4-a72b-5acddcfd0b0b
3description: Detecting sdiagnhost.exe executing the POC as a result of vulnerability based on ms-msdt.
4status: experimental
5references:
6 - https://twitter.com/nao_sec/status/1530196847679401984
7 - https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
8author: '@Kostastsale'
9date: 2022/05/29
10logsource:
11 category: process_creation
12 product: windows
13detection:
14 selection1:
15 ParentImage|endswith:
16 - '\sdiagnhost.exe'
17 Image|endswith:
18 - '\cmd.exe'
19 - '\powershell.exe'
20 filter1:
21 Image|endswith:
22 - '\cmd.exe'
23 CommandLine|contains:
24 - 'bits'
25 filter2:
26 Image|endswith:
27 - '\powershell.exe'
28 CommandLine|endswith:
29 - '-noprofile'
30 - '-noprofile -'
31 condition: selection1 and not (filter1 or filter2)
32falsepositives:
33 - Uknown
34level: high
35tags:
36 - attack.execution
37 - attack.T1059.003
38 - attack.T1204.002```
References
-
Two days ago, Nao_sec identified an odd looking Word document in the wild, uploaded from an IP address in Belarus:
Read More
Related rules
- ms-msdt for RCE CVE-2022-30190
- Abuse of the Windows Server Update Services (WSUS) for lateral movement.
- ChromeLoader Malware Detection
- Detecting Ammy Admin RMM Agent Execution
- Detection of CMD Execution via AnyViewer RMM