title: MSDT lolbin usage id: 03c7d2f5-c503-4979-ade8-2f76ab6e90a1 description: | This rule detects Microsoft Support Diagnostic Tool (MSDT) process execution with commandline arguments indicating remote code execution through ms-msdt protocol. This lolbin usage was first used by threat actors in order to execute remote code through office applications and tagged CVE-2022-30190. However, any application which can execute HTML code could use MSDT in order to execute remote code. An attacker who successfully exploits this vulnerability can run arbitrary code under `sdiagnhost.exe` with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user's rights. Investigation process: - look at the msdt.exe commandline in order to understand what was executed - check for sdiagnhost.exe suspicious child (cmd.exe, powershell.exe, etc) - check for msdt.exe suspicious parent (Office applications, powershell, etc) status: experimental author: ANSSI tags: - cve.2022_30190 - lolbin.msdt - attack.user_execution - attack.t1204.002 - attack.defense_evasion - attack.t1202 logsource: product: windows category: process_creation references: - https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/ - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ee424379(v=ws.11) - https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e - https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/ - https://twitter.com/wdormann/status/1531619222295568384 detection: selection: Image|endswith: 'msdt.exe' CommandLine|contains|all: - 'ms-msdt:' - 'PCWDiagnostic' - 'IT_BrowseForFile' - 'IT_LaunchMethod' condition: selection falsepositives: - Unknown level: high