title: Office suspicious msdt process child
id: f84a2310-8c1d-4ce3-b90d-a2179d75831b
description: |
  Detects possible Microsoft Office code execution vulnerability `Follina` by looking for Office process launching `msdt.exe` process (Microsoft Support Diagnostic Tool).
  When the exploitation is successful, `sdiagnhost.exe` spawn `cmd.exe` to launch malicious code.

  Investigation process:
  - look at the msdt.exe commandline in order to understand what was executed
  - check for sdiagnhost.exe suspicious child (cmd.exe, powershell.exe, etc)
  - check other actions made with this account name or session id after the exploitation.
status: testing
author: ANSSI
tags:
  - attack.user_execution
  - attack.t1204.002
references:
  - https://twitter.com/nao_sec/status/1530196847679401984
  - https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/
  - https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    Image|endswith: msdt.exe
    ParentImage|endswith:
      - WINWORD.EXE
      - OUTLOOK.EXE
      - POWERPNT.EXE
      - EXCEL.EXE
  condition: selection
falsepositives:
  - Unknown
level: high