← Library
sigmaDRL-1.1from SigmaHQ/sigma

Troubleshooting Pack Cmdlet Execution

Detects execution of "TroubleshootingPack" cmdlets to leverage CVE-2022-30190 or action similar to "msdt" lolbin (as described in LOLBAS)

Quality
100
FP risk
Forks
0
Views
0
ATT&CK techniques
T1202
Rule sourcerules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml
title: Troubleshooting Pack Cmdlet Execution
id: 03409c93-a7c7-49ba-9a4c-a00badf2a153
status: test
description: Detects execution of "TroubleshootingPack" cmdlets to leverage CVE-2022-30190 or action similar to "msdt" lolbin (as described in LOLBAS)
references:
    - https://twitter.com/nas_bench/status/1537919885031772161
    - https://lolbas-project.github.io/lolbas/Binaries/Msdt/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-21
tags:
    - attack.defense-evasion
    - attack.t1202
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'Invoke-TroubleshootingPack'
            - 'C:\Windows\Diagnostics\System\PCW'
            - '-AnswerFile'
            - '-Unattended'
    condition: selection
falsepositives:
    - Legitimate usage of "TroubleshootingPack" cmdlet for troubleshooting purposes
level: medium