Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

File Creation In Suspicious Directory By Msdt.EXE

Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Vadim Varganov, Florian Roth (Nextron Systems)Created Wed Aug 24Updated Thu Feb 23318557a5-150c-4c8d-b70e-a9910e199857windows
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic
Detection Logic1 selector
detection:
    selection:
        Image|endswith: '\msdt.exe'
        TargetFilename|contains:
            - '\Desktop\'
            - '\Start Menu\Programs\Startup\'
            - 'C:\PerfLogs\'
            - 'C:\ProgramData\'
            - 'C:\Users\Public\'
    condition: selection
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
irsl.medium.com
2
Resolving title…
msrc-blog.microsoft.com
MITRE ATT&CK

Other

cve.2022-30190
Rule Metadata
Rule ID
318557a5-150c-4c8d-b70e-a9910e199857
Status
test
Level
high
Type
Detection
Created
Wed Aug 24
Modified
Thu Feb 23
Author
Vadim Varganov, Florian Roth (Nextron Systems)
Path
rules/windows/file/file_event/file_event_win_msdt_susp_directories.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.t1547.001cve.2022-30190
View on GitHub