Update file_event_win_msdt_autorun.yml

rules/windows/file_event/file_event_win_msdt_autorun.yml

@@ -1,22 +1,29 @@
-title: msdt.exe Create file in Autorun directory 
+title: MSDT.exe Creates Files in Autorun Directory 
 id: 318557a5-150c-4c8d-b70e-a9910e199857
 status: experimental
-description: Detection msdt.exe create executable file in autorun directory. CVE-2022-30190
-author: Vadim Varganov
+description: Detects msdt.exe creating files in suspicious directories
+author: Vadim Varganov, Florian Roth
 references:
     - https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd 
+    - https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
 date: 2022/08/24
+tags:
+    - attack.persistence
+    - attack.t1547.001
+    - cve.2022.30190
 logsource:
     category: file_event
     product: windows
 detection:
     selection:
-        - Image|endswith: '\msdt.exe'
-        - TargetFilename|contains: '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\' 
+        Image|endswith: '\msdt.exe'
+        TargetFilename|contains: 
+            - '\Start Menu\Programs\Startup\'
+            - 'C:\Users\Public\'
+            - 'C:\PerfLogs\'
+            - '\Desktop\'
+            - 'C:\ProgramData\'
     condition: selection
 falsepositives:
-    - Undefined
+    - Unknown
 level: high
-tags:
-    - attack.persistence
-    - attack.t1547.001