From f9b895759ba295b1c042e27fabcd80605a321a7f Mon Sep 17 00:00:00 2001
From: Paul Hager <28906717+pH-T@users.noreply.github.com>
Date: Fri, 3 Jun 2022 12:13:51 +0200
Subject: [PATCH 1/3] new rules for msdt cloaking

---
 .../proc_creation_win_renamed_msdt.yml        | 23 +++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 rules/windows/process_creation/proc_creation_win_renamed_msdt.yml

diff --git a/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml b/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml
new file mode 100644
index 000000000..10cf58959
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml
@@ -0,0 +1,23 @@
+title: Process Creation with Renamed Msdt.exe
+id: bd1c6866-65fc-44b2-be51-5588fcff82b9
+status: experimental
+description: Detects process creation with a renamed Msdt.exe
+author: pH-T
+date: 2022/06/03
+references:
+   - https://lolbas-project.github.io/lolbas/Binaries/Msdt/
+tags:
+   - attack.defense_evasion
+   - attack.t1036.003
+logsource:
+   category: process_creation
+   product: windows
+detection:
+   selection:
+      OriginalFileName: 'msdt.exe'
+   filter_realbrowsercore:
+      Image|endswith: '\msdt.exe'
+   condition: selection and not 1 of filter*
+falsepositives:
+    - Unknown
+level: high

From 1ba6dab453dab39824096b2a43b4df357e2f6b57 Mon Sep 17 00:00:00 2001
From: phantinuss <79651203+phantinuss@users.noreply.github.com>
Date: Fri, 3 Jun 2022 15:42:43 +0200
Subject: [PATCH 2/3] Update proc_creation_win_renamed_msdt.yml

---
 .../windows/process_creation/proc_creation_win_renamed_msdt.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml b/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml
index 10cf58959..59ee412ba 100644
--- a/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml
+++ b/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml
@@ -1,4 +1,4 @@
-title: Process Creation with Renamed Msdt.exe
+title: Renamed Msdt.exe
 id: bd1c6866-65fc-44b2-be51-5588fcff82b9
 status: experimental
 description: Detects process creation with a renamed Msdt.exe

From 07628f6795ac8332d7272ab11aca8049242defdd Mon Sep 17 00:00:00 2001
From: phantinuss <79651203+phantinuss@users.noreply.github.com>
Date: Fri, 3 Jun 2022 17:03:33 +0200
Subject: [PATCH 3/3] Update proc_creation_win_renamed_msdt.yml

---
 .../process_creation/proc_creation_win_renamed_msdt.yml       | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml b/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml
index 59ee412ba..ac7e3f930 100644
--- a/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml
+++ b/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml
@@ -15,9 +15,9 @@ logsource:
 detection:
    selection:
       OriginalFileName: 'msdt.exe'
-   filter_realbrowsercore:
+   filter_realmsdt:
       Image|endswith: '\msdt.exe'
    condition: selection and not 1 of filter*
 falsepositives:
-    - Unknown
+    - Unlikely
 level: high