From efbfc7fe67bab78a3c3a968b635f5f3533e34a16 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Tue, 21 Jun 2022 19:13:53 +0100
Subject: [PATCH] New Rule
 (https://twitter.com/nas_bench/status/1537919885031772161)

---
 .../posh_ps_susp_follina_execution.yml        | 27 +++++++++++++++++++
 ...roc_creation_win_msdt_susp_cab_options.yml |  2 +-
 2 files changed, 28 insertions(+), 1 deletion(-)
 create mode 100644 rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml

diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml
new file mode 100644
index 000000000..19b337b9a
--- /dev/null
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml
@@ -0,0 +1,27 @@
+title: Troubleshooting Pack Cmdlet Execution
+id: 03409c93-a7c7-49ba-9a4c-a00badf2a153
+status: experimental
+author: Nasreddine Bencherchali
+date: 2022/06/21
+description: Detects execution of "TroubleshootingPack" cmdlets to leverage CVE-2022-30190 or action similar to "msdt" lolbin (as described in LOLBAS)
+references:
+    - https://twitter.com/nas_bench/status/1537919885031772161
+    - https://lolbas-project.github.io/lolbas/Binaries/Msdt/
+logsource:
+    product: windows
+    category: ps_script
+    definition: Script block logging must be enabled
+detection:
+    selection:
+        ScriptBlockText|contains|all:
+            - 'Invoke-TroubleshootingPack'
+            - 'C:\Windows\Diagnostics\System\PCW'
+            - '-AnswerFile'
+            - '-Unattended'
+    condition: selection
+falsepositives:
+    - Legitimate usage of "TroubleshootingPack" cmdlet for troubleshooting purposes
+level: medium
+tags:
+    - attack.defense_evasion
+    - attack.t1202
diff --git a/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml b/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml
index d4627e1f7..f4c1f54d4 100644
--- a/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml
+++ b/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml
@@ -1,7 +1,7 @@
 title: MSDT.EXE Execution With Suspicious Cab Option
 id: dc4576d4-7467-424f-9eee-fd2b02855fe0
 status: experimental
-description: Detects execution of msdt.exe using the "cab" flag which could indicates suspicious diagcab files with embeded answer files leveraging CVE-2022-30190
+description: Detects execution of msdt.exe using the "cab" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190
 author: Nasreddine Bencherchali
 references:
     - https://twitter.com/nas_bench/status/1537896324837781506