In the previous blog, we have detailed the technical aspects of the vulnerability CVE-2022-30190. However, all the previous threat detection was mainly focused on MS office products as the primary attack vectors followed by msdt.exe spawning.
But there are possibilities for executing msdt.exe through cmd and PowerShell terminals along with directory traversal without using MS office as the parent process / initial attack vector.
So it is highly recommended not to have only MS office products as the initial level of threat detection in the hunting queries instead keep msdt.exe as initial threat detection.
Also Read: Ngrok Threat Hunting: Detect Hackers at the End of the Tunnel
Special Thanks to Nasreddin and Samir
Detection Rules:
MDE:DeviceProcessEvents | where ((ProcessCommandLine contains "msdt.exe" or ProcessCommandLine contains "ms-msdt:-id" or ProcessCommandLine contains "ms-msdt:/id") and (ProcessCommandLine contains "PCWDiagnostic") and (ProcessCommandLine contains "IT_BrowserForFile" or ProcessCommandLine contains "IT_LaunchMethod" or ProcessCommandLine contains "IT_RebrowseForFile") and (ProcessCommandLine contains "//" or ProcessCommandLine contains "./" or ProcessCommandLine contains "/." or ProcessCommandLine contains "../"))
Qradar:SELECT UTF8(payload) from events where LOGSOURCETYPENAME(devicetype)='Microsoft Windows Security Event Log' and ("Process CommandLine" ilike '%msdt.exe%' or "Process CommandLine" ilike '%ms-msdt:-id%' or "Process CommandLine" ilike '%ms-msdt:/id%') and ("Process CommandLine" ilike '%PCWDiagnostic%') and ("Process CommandLine" ilike '%IT_BrowserForFile%' or "Process CommandLine" ilike '%IT_LaunchMethod%' or "Process CommandLine" ilike '%IT_RebrowseForFile%') and ("Process CommandLine" ilike '%//%' or "Process CommandLine" ilike '%./%' or "Process CommandLine" ilike '%/.%' or "Process CommandLine" ilike '%../%')
Elastic:(process.command_line:(msdt.exe OR ms-msdt\:-id OR ms-msdt\:\/id) AND process.command_line:PCWDiagnostic AND process.command_line:(IT_BrowserForFile OR IT_LaunchMethod OR IT_RebrowseForFile) AND process.command_line:(\/\/ OR .\/ OR \/. OR ..\/))
Splunk:(source="WinEventLog:" AND (CommandLine="msdt.exe" OR CommandLine="ms-msdt:-id" OR CommandLine="ms-msdt:/id") AND (CommandLine="PCWDiagnostic") AND (CommandLine="IT_BrowserForFile" OR CommandLine="IT_LaunchMethod" OR CommandLine="IT_RebrowseForFile") AND (CommandLine="//" OR CommandLine="./" OR CommandLine="/." OR CommandLine="../*"))
Crowdstrike:((((CommandHistory="msdt.exe" OR CommandHistory="ms-msdt:-id" OR CommandHistory="ms-msdt:/id") OR (CommandLine="msdt.exe" OR CommandLine="ms-msdt:-id" OR CommandLine="ms-msdt:/id")) AND ((CommandHistory="PCWDiagnostic") OR (CommandLine="PCWDiagnostic"))) AND ((CommandHistory="IT_BrowserForFile" OR CommandHistory="IT_LaunchMethod" OR CommandHistory="IT_RebrowseForFile") OR (CommandLine="IT_BrowserForFile" OR CommandLine="IT_LaunchMethod" OR CommandLine="IT_RebrowseForFile")) AND ((CommandHistory="//" OR CommandHistory="./" OR CommandHistory="/." OR CommandHistory="../") OR (CommandLine="//" OR CommandLine="./" OR CommandLine="/." OR CommandLine="../")))
FireEye Helix(metaclass:windows args:[msdt.exe,ms-msdt:-id,ms-msdt:/id] args:PCWDiagnostic args:[IT_BrowserForFile,IT_LaunchMethod,IT_RebrowseForFile] args:[//,./,/.,../])
MS SentinelSecurityEvent | where EventID == 4688 | where ((CommandLine contains 'msdt.exe' or CommandLine contains 'ms-msdt:-id' or CommandLine contains 'ms-msdt:/id') and (CommandLine contains 'PCWDiagnostic') and (CommandLine contains 'IT_BrowserForFile' or CommandLine contains 'IT_LaunchMethod' or CommandLine contains 'IT_RebrowseForFile') and (CommandLine contains '//' or CommandLine contains './' or CommandLine contains '/.' or CommandLine contains '../'))
Windows PowershellGet-WinEvent | where {(($_.message -match "CommandLine..msdt.exe." -or $_.message -match "CommandLine..ms-msdt:-id." -or $_.message -match "CommandLine..ms-msdt:/id.") -and ($_.message -match "CommandLine..PCWDiagnostic.") -and ($_.message -match "CommandLine..IT_BrowserForFile." -or $_.message -match "CommandLine..IT_LaunchMethod." -or $_.message -match "CommandLine..IT_RebrowseForFile.") -and ($_.message -match "CommandLine..//." -or $_.message -match "CommandLine.../." -or $_.message -match "CommandLine../.." -or $_.message -match "CommandLine..../.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message