EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

Suspicious Cabinet File Execution Via Msdt.EXE

Detects execution of msdt.exe using the "cab" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190

MITRE ATT&CK

T1202
defense-evasion

Detection Query

selection_img:
  - Image|endswith: \msdt.exe
  - OriginalFileName: msdt.exe
selection_cmd:
  CommandLine|contains|windash: " -cab "
condition: all of selection_*

Author

Nasreddine Bencherchali (Nextron Systems), GossiTheDog, frack113

Created

2022-06-21

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.defense-evasionattack.t1202
Raw Content
title: Suspicious Cabinet File Execution Via Msdt.EXE
id: dc4576d4-7467-424f-9eee-fd2b02855fe0
related:
    - id: 6545ce61-a1bd-4119-b9be-fcbee42c0cf3
      type: obsolete
status: test
description: Detects execution of msdt.exe using the "cab" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190
references:
    - https://twitter.com/nas_bench/status/1537896324837781506
    - https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab
    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0
    - https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd
author: Nasreddine Bencherchali (Nextron Systems), GossiTheDog, frack113
date: 2022-06-21
modified: 2024-03-13
tags:
    - attack.defense-evasion
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\msdt.exe'
        - OriginalFileName: 'msdt.exe'
    selection_cmd:
        CommandLine|contains|windash: ' -cab '
    condition: all of selection_*
falsepositives:
    - Legitimate usage of ".diagcab" files
level: medium