← Back to Explore
sigmahighHunting
File Creation In Suspicious Directory By Msdt.EXE
Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities
Detection Query
selection:
Image|endswith: \msdt.exe
TargetFilename|contains:
- \Desktop\
- \Start Menu\Programs\Startup\
- C:\PerfLogs\
- C:\ProgramData\
- C:\Users\Public\
condition: selection
Author
Vadim Varganov, Florian Roth (Nextron Systems)
Created
2022-08-24
Data Sources
windowsFile Events
Platforms
windows
References
Tags
attack.privilege-escalationattack.persistenceattack.t1547.001cve.2022-30190
Raw Content
title: File Creation In Suspicious Directory By Msdt.EXE
id: 318557a5-150c-4c8d-b70e-a9910e199857
status: test
description: Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities
references:
- https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd
- https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
author: Vadim Varganov, Florian Roth (Nextron Systems)
date: 2022-08-24
modified: 2023-02-23
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
- cve.2022-30190
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith: '\msdt.exe'
TargetFilename|contains:
- '\Desktop\'
- '\Start Menu\Programs\Startup\'
- 'C:\PerfLogs\'
- 'C:\ProgramData\'
- 'C:\Users\Public\'
condition: selection
falsepositives:
- Unknown
level: high