From 21edcafa36c84d0a9aa8ee467a7bd5771af464a9 Mon Sep 17 00:00:00 2001
From: eiger <eiger@gitlab.org>
Date: Fri, 17 Jun 2022 09:21:57 +0800
Subject: [PATCH] Rule: Follina or DogWalk exploit sdiageng.dll

---
 .../image_load/image_load_msdt_sdiageng.yml   | 28 +++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 rules/windows/image_load/image_load_msdt_sdiageng.yml

diff --git a/rules/windows/image_load/image_load_msdt_sdiageng.yml b/rules/windows/image_load/image_load_msdt_sdiageng.yml
new file mode 100644
index 000000000..7bddf6b13
--- /dev/null
+++ b/rules/windows/image_load/image_load_msdt_sdiageng.yml
@@ -0,0 +1,28 @@
+title: MSDT.exe loading Diagnostic Library
+id: ec8c4047-fad9-416a-8c81-0f479353d7f6
+status: experimental
+description: Detects both of CVE-2022-30190 and DogWalk vulnerability exploiting "msdt.exe" binary to load "sdiageng.dll" library. 
+author: Greg (rule)
+references:
+  - https://twitter.com/j00sean/status/1534115332830507008
+  - https://twitter.com/nas_bench/status/1531944240271568896?t=z0hjfsgRgNb9c4NCLk-bHg&s=19
+  - https://www.securonix.com/blog/detecting-microsoft-msdt-dogwalk/
+date: 2022/06/09
+modified: 2022/06/27
+logsource:
+  category: image_load
+  product: windows
+detection:
+  selection_img:
+    Image|endswith: '\msdt.exe'
+  selection_load:
+    ImageLoaded|endswith: 'sdiageng.dll'
+  condition: all of selection*
+falsepositives:
+  - Unknown
+level: high
+tags:
+  - attack.defense_evasion
+  - attack.t1202
+  - cve.2022.30190
+