Attack Chain

1. Attacker gains initial access via an unspecified vector (e.g., phishing, drive-by download).
2. The attacker uses a malicious document or script to invoke msdt.exe with specific arguments.
3. MSDT is executed with a crafted IT_RebrowseForFile or IT_BrowseForFile parameter containing a malicious payload.
4. Alternatively, MSDT is executed with -af /skip and a path to a malicious PCWDiagnostic.xml file.
5. MSDT processes the malicious input, leading to the execution of attacker-controlled code.
6. The attacker’s code executes, potentially downloading or executing further payloads.
7. The attacker achieves persistence by modifying registry keys or creating scheduled tasks.
8. The attacker moves laterally through the network, compromising additional systems and data.

Impact

Successful exploitation allows attackers to bypass security controls and execute arbitrary code on compromised systems. This can lead to data theft, system compromise, and further propagation of the attack within the network. The defense evasion tactic can obscure malicious activities, making it more difficult to detect and respond to incidents. Depending on the user’s privileges, the attacker might gain elevated privileges on the system.

Recommendation

• Deploy the provided Sigma rules to detect suspicious MSDT executions based on process arguments, filename discrepancies, and unusual parent-child relationships.
• Monitor process creation events for msdt.exe with arguments containing IT_RebrowseForFile=*, *FromBase64*, or */../../../* using the provided Sigma rule.
• Enable Sysmon process creation logging (Event ID 1) to capture the necessary process execution details for the provided Sigma rules.
• Investigate any alerts generated by these rules, focusing on the process command line, parent process, and any spawned child processes.
• Block execution of msdt.exe from non-standard paths as highlighted in the detection rule.