Detection: Windows Execute Arbitrary Commands with MSDT
Description
The following analytic identifies a recently disclosed arbitraty command execution using Windows msdt.exe - a Diagnostics Troubleshooting Wizard. The sample identified will use the ms-msdt:/ protocol handler to load msdt.exe to retrieve a remote payload. During triage, review file modifications for html. Identify parallel process execution that may be related, including an Office Product.
Annotations
No annotations available.
Implementation
To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.
Known False Positives
False positives may be present, filter as needed. Added .xml to potentially capture any answer file usage. Remove as needed.
Associated Analytic Story
Risk Based Analytics (RBA)
| Risk Message | Risk Score | Impact | Confidence |
|---|---|---|---|
| $process_name$ on $dest_device_id$ under user $dest_user_id$ possibly indicative of indirect command execution. | 100 | 100 | 100 |
References
-
https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
-
https://twitter.com/nao_sec/status/1530196847679401984?s=20&t=ZiXYI4dQuA-0_dzQzSUb3A
-
https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/
-
https://strontic.github.io/xcyclopedia/library/msdt.exe-152D4C9F63EFB332CCB134C6953C0104.html
Version: 4