CVE-2022-30190 Detection Extended For Directory Traversal

0

In the previous blog, we have detailed the technical aspects of the vulnerability CVE-2022-30190. However, all the previous threat detection was mainly focused on MS office products as the primary attack vectors followed by msdt.exe spawning.

But there are possibilities for executing msdt.exe through cmd and PowerShell terminals along with directory traversal without using MS office as the parent process / initial attack vector.

So it is highly recommended not to have only MS office products as the initial level of threat detection in the hunting queries instead keep msdt.exe as initial threat detection.

Also Read: Ngrok Threat Hunting: Detect Hackers at the End of the Tunnel

Special Thanks to Nasreddin and Samir

Detection Rules:

MDE:
DeviceProcessEvents | where ((ProcessCommandLine contains "msdt.exe" or ProcessCommandLine contains "ms-msdt:-id" or ProcessCommandLine contains "ms-msdt:/id") and (ProcessCommandLine contains "PCWDiagnostic") and (ProcessCommandLine contains "IT_BrowserForFile" or ProcessCommandLine contains "IT_LaunchMethod" or ProcessCommandLine contains "IT_RebrowseForFile") and (ProcessCommandLine contains "//" or ProcessCommandLine contains "./" or ProcessCommandLine contains "/." or ProcessCommandLine contains "../"))

Qradar:
SELECT UTF8(payload) from events where LOGSOURCETYPENAME(devicetype)='Microsoft Windows Security Event Log' and ("Process CommandLine" ilike '%msdt.exe%' or "Process CommandLine" ilike '%ms-msdt:-id%' or "Process CommandLine" ilike '%ms-msdt:/id%') and ("Process CommandLine" ilike '%PCWDiagnostic%') and ("Process CommandLine" ilike '%IT_BrowserForFile%' or "Process CommandLine" ilike '%IT_LaunchMethod%' or "Process CommandLine" ilike '%IT_RebrowseForFile%') and ("Process CommandLine" ilike '%//%' or "Process CommandLine" ilike '%./%' or "Process CommandLine" ilike '%/.%' or "Process CommandLine" ilike '%../%')

Elastic:
(process.command_line:(msdt.exe OR ms-msdt\:-id OR ms-msdt\:\/id) AND process.command_line:PCWDiagnostic AND process.command_line:(IT_BrowserForFile OR IT_LaunchMethod OR IT_RebrowseForFile) AND process.command_line:(\/\/ OR .\/ OR \/. OR ..\/))

Splunk:
(source="WinEventLog:" AND (CommandLine="msdt.exe" OR CommandLine="ms-msdt:-id" OR CommandLine="ms-msdt:/id") AND (CommandLine="PCWDiagnostic") AND (CommandLine="IT_BrowserForFile" OR CommandLine="IT_LaunchMethod" OR CommandLine="IT_RebrowseForFile") AND (CommandLine="//" OR CommandLine="./" OR CommandLine="/." OR CommandLine="../*"))

Crowdstrike:
((((CommandHistory="msdt.exe" OR CommandHistory="ms-msdt:-id" OR CommandHistory="ms-msdt:/id") OR (CommandLine="msdt.exe" OR CommandLine="ms-msdt:-id" OR CommandLine="ms-msdt:/id")) AND ((CommandHistory="PCWDiagnostic") OR (CommandLine="PCWDiagnostic"))) AND ((CommandHistory="IT_BrowserForFile" OR CommandHistory="IT_LaunchMethod" OR CommandHistory="IT_RebrowseForFile") OR (CommandLine="IT_BrowserForFile" OR CommandLine="IT_LaunchMethod" OR CommandLine="IT_RebrowseForFile")) AND ((CommandHistory="//" OR CommandHistory="./" OR CommandHistory="/." OR CommandHistory="../") OR (CommandLine="//" OR CommandLine="./" OR CommandLine="/." OR CommandLine="../")))

FireEye Helix
(metaclass:windows args:[msdt.exe,ms-msdt:-id,ms-msdt:/id] args:PCWDiagnostic args:[IT_BrowserForFile,IT_LaunchMethod,IT_RebrowseForFile] args:[//,./,/.,../])

MS Sentinel
SecurityEvent | where EventID == 4688 | where ((CommandLine contains 'msdt.exe' or CommandLine contains 'ms-msdt:-id' or CommandLine contains 'ms-msdt:/id') and (CommandLine contains 'PCWDiagnostic') and (CommandLine contains 'IT_BrowserForFile' or CommandLine contains 'IT_LaunchMethod' or CommandLine contains 'IT_RebrowseForFile') and (CommandLine contains '//' or CommandLine contains './' or CommandLine contains '/.' or CommandLine contains '../'))

Windows Powershell
Get-WinEvent | where {(($_.message -match "CommandLine..msdt.exe." -or $_.message -match "CommandLine..ms-msdt:-id." -or $_.message -match "CommandLine..ms-msdt:/id.") -and ($_.message -match "CommandLine..PCWDiagnostic.") -and ($_.message -match "CommandLine..IT_BrowserForFile." -or $_.message -match "CommandLine..IT_LaunchMethod." -or $_.message -match "CommandLine..IT_RebrowseForFile.") -and ($_.message -match "CommandLine..//." -or $_.message -match "CommandLine.../." -or $_.message -match "CommandLine../.." -or $_.message -match "CommandLine..../.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message

Previous articleHow the APT34 uses Saitama Backdoor for DNS tunnelling
Next articleMicrosoft Search-ms Zero day – Detection and Response

LEAVE A REPLY

Please enter your comment!
Please enter your name here