Detectionhightest

Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE

Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the "sdiageng.dll" library

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

GregCreated Fri Jun 17Updated Fri Feb 17ec8c4047-fad9-416a-8c81-0f479353d7f6windows

Log Source

WindowsImage Load (DLL)

ProductWindows← raw: windows

CategoryImage Load (DLL)← raw: image_load

Detection Logic

detection:
    selection:
        Image|endswith: '\msdt.exe'
        ImageLoaded|endswith: '\sdiageng.dll'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

Techniques

Other

cve.2022-30190

Rule Metadata

Rule ID

ec8c4047-fad9-416a-8c81-0f479353d7f6

Status

test

Level

high

Type

Detection

Created

Fri Jun 17

Modified

Fri Feb 17

Author

Path

rules/windows/image_load/image_load_dll_sdiageng_load_by_msdt.yml

Raw Tags

attack.defense-evasionattack.t1202cve.2022-30190