Detectionhightest
Potential Arbitrary Command Execution Using Msdt.EXE
Detects processes leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Sun May 29Updated Wed Mar 13258fc8ce-8352-443a-9120-8a11e4857fa5windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic4 selectors
detection:
selection_img:
- Image|endswith: '\msdt.exe'
- OriginalFileName: 'msdt.exe'
selection_cmd_inline:
CommandLine|contains: 'IT_BrowseForFile='
selection_cmd_answerfile_flag:
CommandLine|contains: ' PCWDiagnostic'
selection_cmd_answerfile_param:
CommandLine|contains|windash: ' -af '
condition: selection_img and (selection_cmd_inline or all of selection_cmd_answerfile_*)False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Tactics
Techniques
Rule Metadata
Rule ID
258fc8ce-8352-443a-9120-8a11e4857fa5
Status
test
Level
high
Type
Detection
Created
Sun May 29
Modified
Wed Mar 13
Path
rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml
Raw Tags
attack.defense-evasionattack.t1202