Adversaries may leverage the Diagnostic Library Sdiageng.DLL loaded by Msdt.EXE to execute arbitrary code via CVE-2022-30190 or the DogWalk vulnerability. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential exploitation of these critical vulnerabilities before they lead to persistent threats.
Detection Rule
title: Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE
id: ec8c4047-fad9-416a-8c81-0f479353d7f6
status: test
description: Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the "sdiageng.dll" library
references:
- https://www.securonix.com/blog/detecting-microsoft-msdt-dogwalk/
author: Greg (rule)
date: 2022-06-17
modified: 2023-02-17
tags:
- attack.defense-evasion
- attack.t1202
- cve.2022-30190
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\msdt.exe'
ImageLoaded|endswith: '\sdiageng.dll'
condition: selection
falsepositives:
- Unknown
level: high
DeviceImageLoadEvents
| where InitiatingProcessFolderPath endswith "\\msdt.exe" and FolderPath endswith "\\sdiageng.dll"Scenario: Legitimate Use of Msdt.exe for System Diagnostics
Description: A system administrator uses msdt.exe to run a diagnostic tool like Msdt.exe /id FixIt to troubleshoot a system issue.
Filter/Exclusion: Check for the presence of known diagnostic tool IDs in the command line arguments, e.g., /id FixIt, /id WindowsUpdate, or /id SystemFileCheck.
Scenario: Scheduled Job Running Diagnostic Tools
Description: A scheduled task runs msdt.exe as part of a routine maintenance process, such as checking for system file integrity or updating Windows.
Filter/Exclusion: Exclude processes initiated by the Task Scheduler (Task Scheduler service) or filter by the task name in the command line arguments.
Scenario: Microsoft Support Tool Execution
Description: A user or admin runs a Microsoft support tool (e.g., Msdt.exe /id MicrosoftSupport) to gather system information for technical support.
Filter/Exclusion: Filter based on known support tool IDs or check for the presence of MicrosoftSupport in the command line arguments.
Scenario: Antivirus or Security Software Integration
Description: A security tool or antivirus product uses msdt.exe as part of its scanning or remediation process to load diagnostic libraries.
Filter/Exclusion: Check for the presence of known security software names or process parent processes (e.g., Microsoft Defender Antivirus or Windows Defender).
Scenario: Windows Update or Patching Process
Description: During a Windows update or patching operation, msdt.exe is used to load diagnostic libraries as part of the system update process.
Filter/Exclusion: Filter based on the presence of update-related command line arguments (e.g., /id WindowsUpdate) or check for