Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

MSDT Execution Via Answer File

Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab).

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems)Created Mon Jun 13Updated Wed Oct 299c8c7000-3065-44a8-a555-79bcba5d9955windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection:
        Image|endswith: '\msdt.exe'
        CommandLine|contains: '\WINDOWS\diagnostics\index\PCWDiagnostic.xml'
        CommandLine|contains|windash: ' -af '
    filter_main_pcwrun:
        ParentImage|endswith: '\pcwrun.exe'
    condition: selection and not 1 of filter_main_*
False Positives

Possible undocumented parents of "msdt" other than "pcwrun".

References
1
Resolving title…
lolbas-project.github.io
MITRE ATT&CK
Rule Metadata
Rule ID
9c8c7000-3065-44a8-a555-79bcba5d9955
Status
test
Level
high
Type
Detection
Created
Mon Jun 13
Modified
Wed Oct 29
Author
Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/process_creation/proc_creation_win_msdt_answer_file_exec.yml
Raw Tags
attack.defense-evasionattack.t1218attack.execution
View on GitHub