ms-msdt for RCE - sdiagnhost.exe spawning command

 1title: ms-msdt for RCE - sdiagnhost.exe spawning command
 2description: Detecting sdiagnhost.exe executing the POC as a result of vulnerability based on ms-msdt.
 3status: experimental
 4references:
 5  - https://twitter.com/nao_sec/status/1530196847679401984
 6  - https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
 7author: '@Kostastsale'
 8date: 2022/05/29
 9logsource:
10    category: process_creation
11    product: windows
12detection:
13    selection1:
14        ParentImage|endswith:
15          - '\sdiagnhost.exe'
16        Image|endswith:
17          - '\cmd.exe'
18          - '\powershell.exe'
19    filter1:
20        Image|endswith:
21          - '\cmd.exe'
22        CommandLine|contains:
23          - 'bits'
24    filter2:
25        Image|endswith:
26          - '\powershell.exe'
27        CommandLine|endswith:
28          - '-noprofile'
29          - '-noprofile -'
30    condition: selection1 and not (filter1 or filter2)
31falsepositives:
32    - Uknown
33level: high
34tags:
35    - attack.execution
36    - attack.T1059.003
37    - attack.T1204.002```

References

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• Follina — a Microsoft Office code execution vulnerability

  

  Two days ago, Nao_sec identified an odd looking Word document in the wild, uploaded from an IP address in Belarus:

  
  Read More

Related rules

• Using powershell specific download cradle OneLiner
• Raspberry Robin initial execution from external drive
• Raspberry Robin subsequent execution of commands
• ChromeLoader Malware Detection
• Emotet loader execution via .lnk file