ms-msdt for RCE - sdiagnhost.exe spawning command
Detecting sdiagnhost.exe executing the POC as a result of vulnerability based on ms-msdt.
Sigma rule (View on GitHub)
1title: ms-msdt for RCE - sdiagnhost.exe spawning command
2description: Detecting sdiagnhost.exe executing the POC as a result of vulnerability based on ms-msdt.
3status: experimental
4references:
5 - https://twitter.com/nao_sec/status/1530196847679401984
6 - https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
7author: '@Kostastsale'
8date: 2022/05/29
9logsource:
10 category: process_creation
11 product: windows
12detection:
13 selection1:
14 ParentImage|endswith:
15 - '\sdiagnhost.exe'
16 Image|endswith:
17 - '\cmd.exe'
18 - '\powershell.exe'
19 filter1:
20 Image|endswith:
21 - '\cmd.exe'
22 CommandLine|contains:
23 - 'bits'
24 filter2:
25 Image|endswith:
26 - '\powershell.exe'
27 CommandLine|endswith:
28 - '-noprofile'
29 - '-noprofile -'
30 condition: selection1 and not (filter1 or filter2)
31falsepositives:
32 - Uknown
33level: high
34tags:
35 - attack.execution
36 - attack.T1059.003
37 - attack.T1204.002```
References
Related rules
- Using powershell specific download cradle OneLiner
- Raspberry Robin initial execution from external drive
- Raspberry Robin subsequent execution of commands
- ChromeLoader Malware Detection
- Emotet loader execution via .lnk file