This artifact will search Microsoft Support Diagnostic Tool logs for evidence of ms-msdt Follina exploitation (CVE-2022-30190).
The exploit appears to add a recursive path “../../” to a TargetPath field inside the PCW.debugreport.xml.
PCW.debugreport.xml can be found inside %localappdata%\Diagnostics or %localappdata%\ElevatedDiagnostics for elevated instances.
name: Windows.Detection.MsdtFollina
author: Matt Green - @mgreen27
description: |
This artifact will search Microsoft Support Diagnostic Tool logs for evidence
of ms-msdt Follina exploitation (CVE-2022-30190).
The exploit appears to add a recursive path "../../" to a TargetPath field
inside the PCW.debugreport.xml.
PCW.debugreport.xml can be found inside %localappdata%\Diagnostics or
%localappdata%\ElevatedDiagnostics for elevated instances.
reference:
- https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
- https://twitter.com/nas_bench/status/1531718490494844928
parameters:
- name: TargetGlob
default: C:\Users\*\AppData\Local\{Diagnostics,ElevatedDiagnostics}\**\PCW.debugreport.xml
- name: MsdtYara
default: |
rule msdt
{
meta:
description = "Simple yara to detect folder traversal string used in MSDT follina exploitation"
date = "2022/06/01"
strings:
$a = "../../"
condition:
$a
}
sources:
- precondition:
SELECT OS From info() where OS = 'windows'
query: |
SELECT FullPath, Size,Mtime,Atime,Ctime,Btime,Rule,Meta,
read_file(filename=FullPath) as Content
FROM Artifact.Generic.Detection.Yara.Glob(PathGlob=TargetGlob,YaraRule=MsdtYara)