Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Suspicious MSDT Parent Process

Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nextron SystemsCreated Wed Jun 01Updated Mon Feb 067a74da6b-ea76-47db-92cc-874ad90df734windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection_parent:
        ParentImage|endswith:
            - '\cmd.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\schtasks.exe'
            - '\wmic.exe'
            - '\wscript.exe'
            - '\wsl.exe'
            # Note: office applications are covered by: 438025f9-5856-4663-83f7-52f878a70a50
    selection_msdt:
        - Image|endswith: '\msdt.exe'
        - OriginalFileName: 'msdt.exe'
    condition: all of selection_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
twitter.com
2
Resolving title…
app.any.run
MITRE ATT&CK
Rule Metadata
Rule ID
7a74da6b-ea76-47db-92cc-874ad90df734
Status
test
Level
high
Type
Detection
Created
Wed Jun 01
Modified
Mon Feb 06
Author
Nextron Systems
Path
rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml
Raw Tags
attack.defense-evasionattack.t1036attack.t1218
View on GitHub