From e9d18b50751503fc7803d5e4ce48e28faadd77a5 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Sun, 29 May 2022 12:53:45 +0100
Subject: [PATCH] Create proc_creation_win_msdt.yml

---
 .../proc_creation_win_msdt.yml                | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 rules/windows/process_creation/proc_creation_win_msdt.yml

diff --git a/rules/windows/process_creation/proc_creation_win_msdt.yml b/rules/windows/process_creation/proc_creation_win_msdt.yml
new file mode 100644
index 000000000..3ad578266
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_msdt.yml
@@ -0,0 +1,26 @@
+title: Execute Arbitrary Commands Using MSDT.EXE
+id: 258fc8ce-8352-443a-9120-8a11e4857fa5
+status: experimental
+description: Detects word documents leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands
+author: Nasreddine Bencherchali (rule)
+references:
+  - https://twitter.com/nao_sec/status/1530196847679401984
+  - https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/
+date: 2022/05/29
+logsource:
+  category: process_creation
+  product: windows
+detection:
+  selection_parent:
+    ParentImage|endswith: '\WINWORD.exe'
+    Image|endswith: '\msdt.exe'
+  selection_cmd:
+    Image|endswith: '\msdt.exe'
+    CommandLine|contains|all:
+      - 'ms-msdt:/id'
+      - 'IT_BrowseForFile='
+      - 'IT_RebrowseForFile='
+  condition: 1 of selection*
+falsepositives:
+  - Unknown
+level: high