← Library
sigmaDRL-1.1from SigmaHQ/sigma

Suspicious MSDT Parent Process

Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation

Quality
60
FP risk
Forks
0
Views
0
ATT&CK techniques
T1036T1218
Rule sourcerules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml
title: Suspicious MSDT Parent Process
id: 7a74da6b-ea76-47db-92cc-874ad90df734
status: test
description: Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation
references:
    - https://twitter.com/nao_sec/status/1530196847679401984
    - https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/
author: Nextron Systems
date: 2022-06-01
modified: 2023-02-06
tags:
    - attack.defense-evasion
    - attack.t1036
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith:
            - '\cmd.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\schtasks.exe'
            - '\wmic.exe'
            - '\wscript.exe'
            - '\wsl.exe'
            # Note: office applications are covered by: 438025f9-5856-4663-83f7-52f878a70a50
    selection_msdt:
        - Image|endswith: '\msdt.exe'
        - OriginalFileName: 'msdt.exe'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high