{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/msdt/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Diagnostics Troubleshooting Wizard (MSDT)","Microsoft Defender XDR"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","msdt","windows"],"_cs_type":"threat","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eThe Microsoft Diagnostics Troubleshooting Wizard (MSDT) is a built-in Windows tool used for troubleshooting various system issues. Attackers can abuse MSDT to proxy malicious command or binary execution through carefully crafted process arguments, evading traditional defense mechanisms. This technique leverages the trust associated with a signed Microsoft binary (msdt.exe) to execute arbitrary commands. The detection rule identifies suspicious MSDT executions based on command-line arguments, filename discrepancies, and unusual process relationships. This activity has been observed since at least May 2022 and continues to be a relevant defense evasion technique. Defenders should monitor for unusual invocations of MSDT, especially when launched from untrusted sources or with suspicious arguments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access via an unspecified vector (e.g., phishing, drive-by download).\u003c/li\u003e\n\u003cli\u003eThe attacker uses a malicious document or script to invoke \u003ccode\u003emsdt.exe\u003c/code\u003e with specific arguments.\u003c/li\u003e\n\u003cli\u003eMSDT is executed with a crafted \u003ccode\u003eIT_RebrowseForFile\u003c/code\u003e or \u003ccode\u003eIT_BrowseForFile\u003c/code\u003e parameter containing a malicious payload.\u003c/li\u003e\n\u003cli\u003eAlternatively, MSDT is executed with \u003ccode\u003e-af /skip\u003c/code\u003e and a path to a malicious \u003ccode\u003ePCWDiagnostic.xml\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eMSDT processes the malicious input, leading to the execution of attacker-controlled code.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s code executes, potentially downloading or executing further payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence by modifying registry keys or creating scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally through the network, compromising additional systems and data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass security controls and execute arbitrary code on compromised systems. This can lead to data theft, system compromise, and further propagation of the attack within the network. The defense evasion tactic can obscure malicious activities, making it more difficult to detect and respond to incidents. Depending on the user\u0026rsquo;s privileges, the attacker might gain elevated privileges on the system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to detect suspicious MSDT executions based on process arguments, filename discrepancies, and unusual parent-child relationships.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003emsdt.exe\u003c/code\u003e with arguments containing \u003ccode\u003eIT_RebrowseForFile=*\u003c/code\u003e, \u003ccode\u003e*FromBase64*\u003c/code\u003e, or \u003ccode\u003e*/../../../*\u003c/code\u003e using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture the necessary process execution details for the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules, focusing on the process command line, parent process, and any spawned child processes.\u003c/li\u003e\n\u003cli\u003eBlock execution of \u003ccode\u003emsdt.exe\u003c/code\u003e from non-standard paths as highlighted in the detection rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-25T14:23:00Z","date_published":"2024-01-25T14:23:00Z","id":"/briefs/2024-01-25-msdt-abuse/","summary":"This rule detects potential abuse of the Microsoft Diagnostics Troubleshooting Wizard (MSDT) to proxy malicious command or binary execution via malicious process arguments on Windows systems.","title":"Suspicious Microsoft Diagnostics Wizard Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-25-msdt-abuse/"}],"language":"en","title":"CraftedSignal Threat Feed — Msdt","version":"https://jsonfeed.org/version/1.1"}