ms-msdt for RCE - sdiagnhost.exe spawning command

 1title: ms-msdt for RCE - sdiagnhost.exe spawning command
 2id: 6469c7a1-8a28-40c4-a72b-5acddcfd0b0b
 3description: Detecting sdiagnhost.exe executing the POC as a result of vulnerability based on ms-msdt.
 4status: experimental
 5references:
 6  - https://twitter.com/nao_sec/status/1530196847679401984
 7  - https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
 8author: '@Kostastsale'
 9date: 2022/05/29
10logsource:
11    category: process_creation
12    product: windows
13detection:
14    selection1:
15        ParentImage|endswith:
16          - '\sdiagnhost.exe'
17        Image|endswith:
18          - '\cmd.exe'
19          - '\powershell.exe'
20    filter1:
21        Image|endswith:
22          - '\cmd.exe'
23        CommandLine|contains:
24          - 'bits'
25    filter2:
26        Image|endswith:
27          - '\powershell.exe'
28        CommandLine|endswith:
29          - '-noprofile'
30          - '-noprofile -'
31    condition: selection1 and not (filter1 or filter2)
32falsepositives:
33    - Uknown
34level: high
35tags:
36    - attack.execution
37    - attack.T1059.003
38    - attack.T1204.002```

References

• x.com

  
  Read More

• https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e

  
  Read More

Related rules

• ms-msdt for RCE CVE-2022-30190
• Abuse of the Windows Server Update Services (WSUS) for lateral movement.
• ChromeLoader Malware Detection
• Detecting Ammy Admin RMM Agent Execution
• Detection of CMD Execution via AnyViewer RMM