Windows.Detection.MsdtFollina

This artifact will search Microsoft Support Diagnostic Tool logs for evidence of ms-msdt Follina exploitation (CVE-2022-30190).

The exploit appears to add a recursive path “../../” to a TargetPath field inside the PCW.debugreport.xml.

PCW.debugreport.xml can be found inside %localappdata%\Diagnostics or %localappdata%\ElevatedDiagnostics for elevated instances.

name: Windows.Detection.MsdtFollina
author: Matt Green - @mgreen27
description: |
   This artifact will search Microsoft Support Diagnostic Tool logs for evidence 
   of ms-msdt Follina exploitation (CVE-2022-30190).
   
   The exploit appears to add a recursive path "../../" to a TargetPath field 
   inside the PCW.debugreport.xml.
   
   PCW.debugreport.xml can be found inside %localappdata%\Diagnostics or 
   %localappdata%\ElevatedDiagnostics for elevated instances.
   
reference:
  - https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
  - https://twitter.com/nas_bench/status/1531718490494844928
   

parameters:
   - name: TargetGlob
     default: C:\Users\*\AppData\Local\{Diagnostics,ElevatedDiagnostics}\**\PCW.debugreport.xml
   - name: MsdtYara
     default: |
        rule msdt
        {
            meta:
                description = "Simple yara to detect folder traversal string used in MSDT follina exploitation"
                date = "2022/06/01"
            strings:
                $a = "../../"
            condition:
                $a
        }

sources:
  - precondition:
      SELECT OS From info() where OS = 'windows'

    query: |
      SELECT FullPath, Size,Mtime,Atime,Ctime,Btime,Rule,Meta,
        read_file(filename=FullPath) as Content
      FROM Artifact.Generic.Detection.Yara.Glob(PathGlob=TargetGlob,YaraRule=MsdtYara)

comments powered by Disqus