Merge pull request #3124 from nasbench/msdt-rules

Update MSDT Rules

rules/windows/process_creation/proc_creation_win_lolbin_msdt_answer_file.yml

@@ -0,0 +1,29 @@
+title: Execute MSDT Via Answer File
+id: 9c8c7000-3065-44a8-a555-79bcba5d9955
+status: experimental
+description: Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab)
+author: Nasreddine Bencherchali
+references:
+    - https://lolbas-project.github.io/lolbas/Binaries/Msdt/
+date: 2022/06/13
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_cli:
+        Image|endswith: '\msdt.exe'
+        CommandLine|contains: '\WINDOWS\diagnostics\index\PCWDiagnostic.xml'
+    selection_answer:
+        CommandLine|contains:
+            - ' -af '
+            - ' /af '
+    filter:
+        ParentImage|endswith: '\pcwrun.exe'
+    condition: all of selection* and not filter
+falsepositives:
+    - Possible undocumented parents of "msdt" other than "pcwrun"
+level: high
+tags:
+    - attack.defense_evasion
+    - attack.t1218
+    - attack.execution

rules/windows/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml

@@ -0,0 +1,23 @@
+title: Execute Pcwrun.EXE To Leverage Follina
+id: 6004abd0-afa4-4557-ba90-49d172e0a299
+status: experimental
+description: Detects indirect command execution via Program Compatibility Assistant "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability
+author: Nasreddine Bencherchali
+references:
+    - https://twitter.com/nas_bench/status/1535663791362519040
+date: 2022/06/13
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\pcwrun.exe'
+        CommandLine|contains: '../'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: high
+tags:
+    - attack.defense_evasion
+    - attack.t1218
+    - attack.execution

rules/windows/process_creation/proc_creation_win_msdt.yml

@@ -1,29 +1,33 @@
 title: Execute Arbitrary Commands Using MSDT.EXE
 id: 258fc8ce-8352-443a-9120-8a11e4857fa5
 status: experimental
-description: Detects word documents leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in CVE-2022-30190 / Follina exploitation
+description: Detects processes leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability
 author: Nasreddine Bencherchali (rule)
 references:
-  - https://twitter.com/nao_sec/status/1530196847679401984
-  - https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/
-  - https://twitter.com/_JohnHammond/status/1531672601067675648
+    - https://twitter.com/nao_sec/status/1530196847679401984
+    - https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/
+    - https://twitter.com/_JohnHammond/status/1531672601067675648
 date: 2022/05/29
-modified: 2022/06/01
+modified: 2022/06/13
 logsource:
-  category: process_creation
-  product: windows
+    category: process_creation
+    product: windows
 detection:
-  selection_specific_img:
-    - Image|endswith: '\msdt.exe'
-    - OriginalFileName: 'msdt.exe'
-  selection_specific_cmd:
-    CommandLine|contains:
-      - 'IT_BrowseForFile='
-      - '/af ' # For answer files
-  condition: all of selection_specific_*
+    selection_img:
+        - Image|endswith: '\msdt.exe'
+        - OriginalFileName: 'msdt.exe'
+    selection_cmd_inline:
+        CommandLine|contains: 'IT_BrowseForFile='
+    selection_cmd_answerfile:
+        CommandLine|contains: ' PCWDiagnostic'
+    selection_cmd_answerfile_param:
+        CommandLine|contains:
+            - ' /af '
+            - ' -af '
+    condition: selection_img and (selection_cmd_inline or all of selection_cmd_answerfile*)
 falsepositives:
-  - Unknown
+    - Unknown
 level: high
 tags:
-  - attack.defense_evasion
-  - attack.t1202
+    - attack.defense_evasion
+    - attack.t1202