From ffd236158cd58af9bc383ec31930e508fad162b8 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Mon, 13 Jun 2022 14:30:35 +0100
Subject: [PATCH 1/3] Update MSDT Rules

---
 ...c_creation_win_lolbin_msdt_answer_file.yml | 29 ++++++++++++++++
 ...roc_creation_win_lolbin_pcwrun_follina.yml | 23 +++++++++++++
 .../proc_creation_win_msdt.yml                | 33 ++++++++++---------
 3 files changed, 70 insertions(+), 15 deletions(-)
 create mode 100644 rules/windows/process_creation/proc_creation_win_lolbin_msdt_answer_file.yml
 create mode 100644 rules/windows/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml

diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_msdt_answer_file.yml b/rules/windows/process_creation/proc_creation_win_lolbin_msdt_answer_file.yml
new file mode 100644
index 000000000..39895e4cb
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_lolbin_msdt_answer_file.yml
@@ -0,0 +1,29 @@
+title: Execute MSDT Via Answer File
+id: 9c8c7000-3065-44a8-a555-79bcba5d9955
+status: experimental
+description: Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab)
+author: Nasreddine Bencherchali
+references:
+    - https://lolbas-project.github.io/lolbas/Binaries/Msdt/
+date: 2022/06/13
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_cli:
+        Image|endswith: '\msdt.exe'
+        CommandLine|contains: '\WINDOWS\diagnostics\index\PCWDiagnostic.xml'
+    selection_answer:
+        CommandLine|contains:
+            - ' -af '
+            - ' /af '
+    filter:
+        ParentImage|endswith: '\pcwrun.exe'
+    condition: all of selection* and not filter
+falsepositives:
+    - Possible undocumented parents of "msdt" other than "pcwrun"
+level: high
+tags:
+    - attack.defense_evasion
+    - attack.t1218
+    - attack.execution
diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml b/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml
new file mode 100644
index 000000000..125fde862
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml
@@ -0,0 +1,23 @@
+title: Execute Pcwrun.EXE To Leverage Follina
+id: 6004abd0-afa4-4557-ba90-49d172e0a299
+status: experimental
+description: Detects indirect command execution via Program Compatibility Assistant "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability
+author: Nasreddine Bencherchali
+references:
+    - https://twitter.com/nas_bench/status/1535663791362519040
+date: 2022/06/13
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\pcwrun.exe'
+        CommandLine|contains: '../'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: high
+tags:
+    - attack.defense_evasion
+    - attack.t1218
+    - attack.execution
diff --git a/rules/windows/process_creation/proc_creation_win_msdt.yml b/rules/windows/process_creation/proc_creation_win_msdt.yml
index 9eb580e3e..b8f5eb245 100644
--- a/rules/windows/process_creation/proc_creation_win_msdt.yml
+++ b/rules/windows/process_creation/proc_creation_win_msdt.yml
@@ -1,26 +1,29 @@
 title: Execute Arbitrary Commands Using MSDT.EXE
 id: 258fc8ce-8352-443a-9120-8a11e4857fa5
 status: experimental
-description: Detects word documents leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in CVE-2022-30190
+description: Detects processes leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability
 author: Nasreddine Bencherchali (rule)
 references:
-  - https://twitter.com/nao_sec/status/1530196847679401984
-  - https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/
-  - https://twitter.com/_JohnHammond/status/1531672601067675648
+    - https://twitter.com/nao_sec/status/1530196847679401984
+    - https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/
+    - https://twitter.com/_JohnHammond/status/1531672601067675648
 date: 2022/05/29
-modified: 2022/06/01
+modified: 2022/06/13
 logsource:
-  category: process_creation
-  product: windows
+    category: process_creation
+    product: windows
 detection:
-  selection_specific_img:
-    - Image|endswith: '\msdt.exe'
-    - OriginalFileName: 'msdt.exe'
-  selection_specific_cmd:
-    CommandLine|contains:
-      - 'IT_BrowseForFile='
-      - '/af ' # For answer files
-  condition: all of selection_specific_*
+    selection_img:
+        - Image|endswith: '\msdt.exe'
+        - OriginalFileName: 'msdt.exe'
+    selection_specific_cmd_inline:
+        CommandLine|contains: 'IT_BrowseForFile='
+    selection_specific_cmd_answerfile:
+        CommandLine|contains: ' PCWDiagnostic'
+    selection_specific_cmd_answerfile_param:
+            - ' /af '
+            - ' -af '
+  condition: selection_img and (selection_specific_cmd_inline or all of selection_specific_cmd_answerfile*)
 falsepositives:
   - Unknown
 level: high

From 8ca55de64c149de74a35b342cf76a6bdaeb68521 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Mon, 13 Jun 2022 14:33:12 +0100
Subject: [PATCH 2/3] Update proc_creation_win_msdt.yml

---
 rules/windows/process_creation/proc_creation_win_msdt.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_msdt.yml b/rules/windows/process_creation/proc_creation_win_msdt.yml
index b8f5eb245..094c18cc6 100644
--- a/rules/windows/process_creation/proc_creation_win_msdt.yml
+++ b/rules/windows/process_creation/proc_creation_win_msdt.yml
@@ -23,10 +23,10 @@ detection:
     selection_specific_cmd_answerfile_param:
             - ' /af '
             - ' -af '
-  condition: selection_img and (selection_specific_cmd_inline or all of selection_specific_cmd_answerfile*)
+    condition: selection_img and (selection_specific_cmd_inline or all of selection_specific_cmd_answerfile*)
 falsepositives:
-  - Unknown
+    - Unknown
 level: high
 tags:
-  - attack.defense_evasion
-  - attack.t1202
+    - attack.defense_evasion
+    - attack.t1202

From 0e0f44fc0c53ca9890d53dab365d86a7fa59066a Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Mon, 13 Jun 2022 16:36:19 +0100
Subject: [PATCH 3/3] Update proc_creation_win_msdt.yml

---
 .../windows/process_creation/proc_creation_win_msdt.yml  | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_msdt.yml b/rules/windows/process_creation/proc_creation_win_msdt.yml
index 094c18cc6..53041a1b9 100644
--- a/rules/windows/process_creation/proc_creation_win_msdt.yml
+++ b/rules/windows/process_creation/proc_creation_win_msdt.yml
@@ -16,14 +16,15 @@ detection:
     selection_img:
         - Image|endswith: '\msdt.exe'
         - OriginalFileName: 'msdt.exe'
-    selection_specific_cmd_inline:
+    selection_cmd_inline:
         CommandLine|contains: 'IT_BrowseForFile='
-    selection_specific_cmd_answerfile:
+    selection_cmd_answerfile:
         CommandLine|contains: ' PCWDiagnostic'
-    selection_specific_cmd_answerfile_param:
+    selection_cmd_answerfile_param:
+        CommandLine|contains:
             - ' /af '
             - ' -af '
-    condition: selection_img and (selection_specific_cmd_inline or all of selection_specific_cmd_answerfile*)
+    condition: selection_img and (selection_cmd_inline or all of selection_cmd_answerfile*)
 falsepositives:
     - Unknown
 level: high