Nasreddine Bencherchali
30 lines
925 B
YAML
30 lines
925 B
YAML
title: Execute Arbitrary Commands Using MSDT.EXE
|
|
id: 258fc8ce-8352-443a-9120-8a11e4857fa5
|
|
status: experimental
|
|
description: Detects word documents leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands
|
|
author: Nasreddine Bencherchali (rule)
|
|
references:
|
|
- https://twitter.com/nao_sec/status/1530196847679401984
|
|
- https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/
|
|
- https://twitter.com/_JohnHammond/status/1531672601067675648
|
|
date: 2022/05/29
|
|
modified: 2022/06/01
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection_specific_img:
|
|
- Image|endswith: '\msdt.exe'
|
|
- OriginalFileName: 'msdt.exe'
|
|
selection_specific_cmd:
|
|
CommandLine|contains:
|
|
- 'IT_BrowseForFile='
|
|
- '/af ' # For answer files
|
|
condition: all of selection_specific_*
|
|
falsepositives:
|
|
- Unknown
|
|
level: high
|
|
tags:
|
|
- attack.defense_evasion
|
|
- attack.t1202
|