The hypothesis is that an adversary is leveraging msdt.exe to create files in suspicious directories as part of exploiting Follina or Dogwalk vulnerabilities to establish persistence or execute malicious payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential exploitation attempts and mitigate lateral movement or data exfiltration risks.
Detection Rule
title: File Creation In Suspicious Directory By Msdt.EXE
id: 318557a5-150c-4c8d-b70e-a9910e199857
status: test
description: Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities
references:
- https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd
- https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
author: Vadim Varganov, Florian Roth (Nextron Systems)
date: 2022-08-24
modified: 2023-02-23
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
- cve.2022-30190
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith: '\msdt.exe'
TargetFilename|contains:
- '\Desktop\'
- '\Start Menu\Programs\Startup\'
- 'C:\PerfLogs\'
- 'C:\ProgramData\'
- 'C:\Users\Public\'
condition: selection
falsepositives:
- Unknown
level: high
imFileEvent
| where TargetFilePath endswith "\\msdt.exe" and (TargetFileName contains "\\Desktop\\" or TargetFileName contains "\\Start Menu\\Programs\\Startup\\" or TargetFileName contains "C:\\PerfLogs\\" or TargetFileName contains "C:\\ProgramData\\" or TargetFileName contains "C:\\Users\\Public\\")Scenario: Scheduled Job for System Maintenance
Description: A legitimate scheduled task runs msdt.exe to perform system diagnostics or maintenance, which may involve creating temporary files in a suspicious directory.
Filter/Exclusion: Exclude files created by scheduled tasks with known names like TaskScheduler or SystemMaintenance and check for presence in standard system directories like C:\Windows\Temp.
Scenario: Microsoft Update or Patching Process
Description: msdt.exe is used as part of the Windows Update or patching process to create temporary files in a suspicious directory during system updates.
Filter/Exclusion: Exclude files created during known update processes by checking the file name against known update-related tools like wusa.exe or by checking the parent process for svchost.exe or wuauserv.
Scenario: Admin Task for Log File Generation
Description: An administrator uses msdt.exe to generate log files for troubleshooting, which may result in file creation in a suspicious directory.
Filter/Exclusion: Exclude files created by administrative tools with known names like logviewer.exe or eventvwr.exe and check for presence in user-specific directories like C:\Users\Administrator\AppData\Local\Temp.
Scenario: PowerShell Script Execution
Description: A PowerShell script may invoke msdt.exe to create temporary files during script execution, which could be misinterpreted as suspicious activity.
Filter/Exclusion: Exclude files created by PowerShell scripts by checking the parent process for powershell.exe or by examining the command line arguments for script execution.
Scenario: Antivirus or Security Tool Scan
Description: A security tool may use msdt.exe to perform a scan or generate temporary files in a suspicious directory as part of its operations.
*Filter/