Suspicious Microsoft Diagnostics Wizard Execution

The Microsoft Diagnostics Troubleshooting Wizard (MSDT) is a built-in Windows tool used for troubleshooting various system issues. Attackers can abuse MSDT to proxy malicious command or binary execution through carefully crafted process arguments, evading traditional defense mechanisms. This technique leverages the trust associated with a signed Microsoft binary (msdt.exe) to execute arbitrary commands. The detection rule identifies suspicious MSDT executions based on command-line arguments, filename discrepancies, and unusual process relationships. This activity has been observed since at least May 2022 and continues to be a relevant defense evasion technique. Defenders should monitor for unusual invocations of MSDT, especially when launched from untrusted sources or with suspicious arguments.

Attack Chain

1. Attacker gains initial access via an unspecified vector (e.g., phishing, drive-by download).
2. The attacker uses a malicious document or script to invoke msdt.exe with specific arguments.
3. MSDT is executed with a crafted IT_RebrowseForFile or IT_BrowseForFile parameter containing a malicious payload.
4. Alternatively, MSDT is executed with -af /skip and a path to a malicious PCWDiagnostic.xml file.
5. MSDT processes the malicious input, leading to the execution of attacker-controlled code.
6. The attacker’s code executes, potentially downloading or executing further payloads.
7. The attacker achieves persistence by modifying registry keys or creating scheduled tasks.
8. The attacker moves laterally through the network, compromising additional systems and data.

Impact

Successful exploitation allows attackers to bypass security controls and execute arbitrary code on compromised systems. This can lead to data theft, system compromise, and further propagation of the attack within the network. The defense evasion tactic can obscure malicious activities, making it more difficult to detect and respond to incidents. Depending on the user’s privileges, the attacker might gain elevated privileges on the system.

Recommendation

• Deploy the provided Sigma rules to detect suspicious MSDT executions based on process arguments, filename discrepancies, and unusual parent-child relationships.
• Monitor process creation events for msdt.exe with arguments containing IT_RebrowseForFile=*, *FromBase64*, or */../../../* using the provided Sigma rule.
• Enable Sysmon process creation logging (Event ID 1) to capture the necessary process execution details for the provided Sigma rules.
• Investigate any alerts generated by these rules, focusing on the process command line, parent process, and any spawned child processes.
• Block execution of msdt.exe from non-standard paths as highlighted in the detection rule.