Detectionmediumtest
Suspicious Cabinet File Execution Via Msdt.EXE
Detects execution of msdt.exe using the "cab" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems), GossiTheDog, François HubautCreated Tue Jun 21Updated Wed Mar 13dc4576d4-7467-424f-9eee-fd2b02855fe0windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic2 selectors
detection:
selection_img:
- Image|endswith: '\msdt.exe'
- OriginalFileName: 'msdt.exe'
selection_cmd:
CommandLine|contains|windash: ' -cab '
condition: all of selection_*False Positives
Legitimate usage of ".diagcab" files
MITRE ATT&CK
Tactics
Techniques
Related Rules
Similar
Rule not found6545ce61-a1bd-4119-b9be-fcbee42c0cf3
Rule Metadata
Rule ID
dc4576d4-7467-424f-9eee-fd2b02855fe0
Status
test
Level
medium
Type
Detection
Created
Tue Jun 21
Modified
Wed Mar 13
Path
rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml
Raw Tags
attack.defense-evasionattack.t1202