Adversaries may exploit the ms-msdt URI scheme to execute malicious code via the Microsoft Support Diagnostic Tool vulnerability, leveraging T1221 to bypass standard security controls. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential exploitation of CVE-2022-30190 before it leads to persistent malware execution.
KQL Query
// Office products spawning MSDT
DeviceProcessEvents
| where InitiatingProcessFileName in~ ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe")
and FileName =~"msdt.exe"
id: cd1c9815-1f2c-483e-a875-b81bfcc1489b
name: detect-office-applications-spawning-msdt-CVE-2022-30190
description: |
This query detects possible abuse of ms-msdt MSProtocol URI scheme to load and execute malicious code via Microsoft Support Diagnostic Tool Vulnerability (CVE-2022-30190).
The following query detects when Microsoft Office software spawns an instance of the MSDT utility, msdt.exe.
References:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190
https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
https://www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug
https://attack.mitre.org/techniques/T1221/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Defense Evasion
relevantTechniques:
- T1221
query: |
// Office products spawning MSDT
DeviceProcessEvents
| where InitiatingProcessFileName in~ ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe")
and FileName =~"msdt.exe"
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: System Update Scheduled Task
Description: A scheduled task runs Windows Update or a Microsoft Update tool that spawns msdt.exe as part of the update process.
Filter/Exclusion: Check for processes associated with wuauclt.exe or wusa.exe and exclude any instances where the parent process is a known update service or task scheduler.
Scenario: Microsoft Endpoint Manager (MEM) Configuration Task
Description: A configuration task initiated by Microsoft Endpoint Manager (MEM) or Intune to deploy policies or updates may trigger msdt.exe as part of the deployment process.
Filter/Exclusion: Filter by parent process msiexec.exe or setup.exe and exclude any processes initiated by MEM or Intune services.
Scenario: Microsoft Defender Antivirus Scan
Description: Microsoft Defender may use msdt.exe as part of its scanning or remediation processes, especially when executing diagnostic tools.
Filter/Exclusion: Exclude processes where the parent is MsMpEng.exe or MsCtfMonitor.exe and filter by known Defender-related command-line arguments.
Scenario: Microsoft System Center Configuration Manager (SCCM) Deployment
Description: SCCM may trigger msdt.exe during software deployment or patching operations.
Filter/Exclusion: Filter for parent processes such as ccmexec.exe or smsexec.exe and exclude any instances where the command line includes SCCM-related paths or parameters.
Scenario: Administrative PowerShell Script Execution
Description: An admin may run a PowerShell script that invokes msdt.exe as part of a system diagnostic or maintenance task.
Filter/Exclusion: Filter by parent process powershell.exe and check for known admin scripts or paths in the command line that are part of standard administrative tasks