suspicious_msdt_execution.yml

title: Suspicious msdt.exe execution - Office Exploit
id: 97a80ed7-1f3f-4d05-9ef4-65760e634f6b
status: experimental
description: This rule will monitor suspicious arguments passed to the msdt.exe process. These arguments are an indicator of recent Office/Msdt exploitation. 
references:
    - https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
    - https://twitter.com/MalwareJake/status/1531019243411623939
author: 'Matthew Brennan'
tags:
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:

    selection1:
      Image|endswith:
        - 'msdt.exe'
    selection2:
      CommandLine|contains:
        - 'PCWDiagnostic'
    selection3:
      CommandLine|contains:
        - 'ms-msdt:-id'
        - 'ms-msdt:/id'

    selection4:
      CommandLine|contains:
        - 'invoke'
    condition: selection1 and (selection4 or (selection2 and selection3))
falsepositives:
  - Unknown
level: high

Thanks for the rule! Just a heads up, the upper case "OR" condition on line 30 will prevent pySigma from parsing this rule successfully. Changing it to a lower-case "or" makes it work. @thomaspatzke, do you know if this is by design? It looks like legacy sigma can parse it either way.

Hi @mbabinski! Thanks for clarifying this!

It was more an accident than intention that sigmac tolerates different cases of conditional operators. They should be lower-cased.

in splunk i have no fields called Image or CommandLine. What am I to do with the above?

@RyanMBess You have to define a mapping between the Sigma field naming (for endpoints we use the Sysmon taxonomy as convention) and your target system. Depending on the used conversion tool this is done with:

• Processing pipelines in Sigma CLI. Sigma CLI comes already with some pipelines. You can list them with sigma list pipelines and use then with the -p parameter of the sigma convert command. Currenty, these pipelines are defined:

+----------------------------+----------+--------------------------------------------------------------------------------+
| Identifier                 | Priority | Processing Pipeline                                                            |
+----------------------------+----------+--------------------------------------------------------------------------------+
| sysmon                     | 10       | Generic Log Sources to Sysmon Transformation                                   |
| crowdstrike_fdr            | 10       | Generic Log Sources to CrowdStrike Falcon Data Replicator (FDR) Transformation |
| splunk_windows             | 20       | Splunk Windows log source conditions                                           |
| splunk_sysmon_acceleration | 25       | Splunk Windows Sysmon search acceleration keywords                             |
| splunk_cim                 | 20       | Splunk CIM Data Model Mapping                                                  |
| windows                    | 10       | Generic Log Sources to windows Transformation                                  |
+----------------------------+----------+--------------------------------------------------------------------------------+

• The mapping configuration in sigmac, which is quite restricted compared to Sigma CLI. Sigmac also has some mappings defined, you can list them with sigmac -l.

I ran the yaml file through sigma and since my siem is splunk it gave the below.

((Image="*msdt.exe") ((CommandLine="invoke") OR ((CommandLine="PCWDiagnostic") (CommandLine="ms-msdt:-id" OR CommandLine="ms-msdt:/id"))))

in splunk i have no fields called Image or CommandLine. What am I to do with the above?

Just FYI, Splunk should know these fields from Windows ETW logs too, you just have to ingest the logs in the XML format (how it should be). Splunk messed up with it initially but corrected it from Splunk 6.2 onwards. More info here: https://www.splunk.com/en_us/blog/platform/splunk-6-2-feature-overview-xml-event-logs.html