← Library
sigmaDRL-1.1from SigmaHQ/sigma

MSDT Execution Via Answer File

Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab).

Quality
88
FP risk
Forks
0
Views
0
ATT&CK techniques
T1218
Rule sourcerules/windows/process_creation/proc_creation_win_msdt_answer_file_exec.yml
title: MSDT Execution Via Answer File
id: 9c8c7000-3065-44a8-a555-79bcba5d9955
status: test
description: |
    Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab).
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Msdt/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-13
modified: 2025-10-29
tags:
    - attack.defense-evasion
    - attack.t1218
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\msdt.exe'
        CommandLine|contains: '\WINDOWS\diagnostics\index\PCWDiagnostic.xml'
        CommandLine|contains|windash: ' -af '
    filter_main_pcwrun:
        ParentImage|endswith: '\pcwrun.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Possible undocumented parents of "msdt" other than "pcwrun".
level: high