Background
Monday, May 30th, 2022, Microsoft issued CVE-2022-30190 for a Remote Code Execution vulnerability with the Microsoft Support Diagnostic Tool (MSDT) in Windows:
“A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, delete data, or create new accounts in the context allowed by the user’s rights.” - Microsoft Security Response Center¹
Microsoft has published information and mitigation recommendations pending possible further action from Microsoft.
What does this mean?
With a crafted Word or Rich Text Format (RTF) document, an attacker can embed an external HTML reference to retrieve and execute code that contains an MSDT URL protocol schema. Windows will run the URL, executing the Diagnostic Tool to run the attacker-provided code with the program's privileges running the document.
What brought this to the attention of the Internet?
On Friday, May 27th, 2022, security researcher @nao_sec shared a Microsoft Word document on Twitter², abusing Microsoft’s Support Diagnostic Tool to run malware. Opening the document retrieved a script from the attacker website containing an MSDT protocol URL with an encoded PowerShell script to run a series of commands. Kevin Beaumont (@GossiTheDog) brought @nao_sec’s finding to the attention of Twitter and dubbed this attack “Follina”³.
What defenders can do
In Windows environments, with good endpoint visibility (Windows Events, Sysmon, EDR, etc.), seeing MSDT activity will be a normal occurrence. With the exploitation of CVE-2022-30190, there will be additional behavior to investigate, such as:
Word as the parent of MSDT.exe with suspicious command lines
Command lines containing MSDT protocol schema URLs and possible file execution
Command lines containing MSDT protocol schema URLs and PowerShell invocation
Suspicious MSDT.exe execution and corresponding SDiagNHost.exe process creation with suspicious child process and command line
Sumo Logic searches
The following queries are useful for profiling and identifying activity related to CVE-2022-30190 and are built using Sumo Logic Cloud SIEM records. They are intended to provide starter search logic for adaptation to search across the raw data sources available in the Sumo Logic Continuous Intelligence PlatformTM and other tools.
Word as parent of MSDT.exe with command line profiling
Search objective: Identify Process Creation events where an MSDT.exe process was created with Word (winword.exe) as the parent application while aggregating these events by hostname (or user) and display the associated Command Line, with corresponding process lineage (parent/baseImage).
_index=sec_record_endpoint (“msdt.exe” “winword.exe”)
| where toLowerCase(parentBaseImage) matches “winword.exe”
| count by device_hostname,user_username,parentBaseImage,baseImage,commandLine
| order by _count DESC
Command lines containing MSDT protocol schema URLs with file execution
Search objective: Identify Process Creation events with the MSDT URL protocol in the command line, with the use of the IT_BrowseForFile and IT_RebrowseForFile arguments to direct MSDT to execute attacker code or an intended executable.
Reference: Huntress Labs Post⁴
_index=sec_record_endpoint (“ms-msdt:” “PCWDiagnostic” “BrowseForFile” “RebrowseForFile”)
| where toLowerCase(commandLine) matches “*ms-msdt:*”
| count by device_hostname,parentBaseImage,baseImage,commandLine
| order by _count DESC
Command lines containing MSDT protocol schema URLs with PowerShell invocation:
Search objective: Identify Process Creation events with the MSDT URL protocol and PowerShell Invoke command, where MSDT will be executing a PowerShell script or command.
_index=sec_record_endpoint (“ms-msdt:” “PCWDiagnostic” “BrowseForFile” “RebrowseForFile” “Invoke-”)
| where toLowerCase(commandLine) matches “*ms-msdt:*(Invoke-*”
| count by device_hostname,parentBaseImage,baseImage,commandLine
| order by _count DESC
SDiagNHost.exe process creation with suspicious child process with command lines:
Search objective: Upon executing MSDT, it will create a process with the parent process of SDiagNHost.exe. Msdt.exe is not the parent of the sdiagnhost.exe process. After excluding commonly observed binaries associated with sdiagnhost.exe execution, the results are aggregated by device_hostname, BaseImage or process name, and command line for further analysis and investigation.
Reference: @neonprimetime via Twitter⁵
_index=sec_record_endpoint “sdiagnhost.exe” !("conhost.exe" OR "route.exe" OR "netsh.exe" OR "ping.exe" OR "wpr.exe" OR "makecab.exe" OR "ipconfig.exe" OR "csc.exe" OR "chrome.exe" OR "w32tm.exe" OR "net.exe" OR "bitsadmin.exe" OR "sc.exe" OR "sfc.exe" OR"dismhost.exe")
| where toLowerCase(parentBaseImage) matches “sdiagnhost.exe”
| count by device_hostname,parentBaseImage,baseImage,commandLine
| order by _count DESC
Microsoft Support Diagnostic Tool (msdt.exe) profiling with command lines:
Search objective: Identify Process Creation events with msdt.exe to understand frequency and see the variations of command lines.
_index=sec_record_endpoint “msdt.exe” | where toLowerCase(baseImage) matches “*msdst.exe” | values(commandLine) as commandLines, count by parentBaseImage,BaseImage
Scripted Diagnostic Native Host (sdiagnhost.exe) profiling with command lines:
Search objective: Identify Process Creation events with msdt.exe to understand the frequency and see the variations of command lines.
_index=sec_record_endpoint “sdiagnhost.exe”
| where toLowerCase(parentBaseImage) matches “*sdiagnhost.exe”
| count_distinct(device_hostname) as host_count, count by BaseImage,commandLine
Sumo Logic Cloud SIEM Enterprise Rules
The Threat Labs team has developed and deployed the following rules for Sumo Logic Cloud SIEM Enterprise (CSE) to provide detection opportunities for possible attempted and successful exploitation of CVE-2022-30190. Modifications to these detections and new detections will be released if the situation warrants it.
Rule ID | Rule Name | |
MATCH-S00811 | MS Office Product Spawning Msdt.exe | |
MATCH-S00812 | Microsoft Support Diagnostic Tool with BrowseForFile | |
MATCH-S00813 | Microsoft Support Diagnostic Tool Invoking PowerShell | |
MATCH-S00814 | Abnormal Child Process - sdiagnhost.exe | |
These rules provide multiple detection opportunities for exploitation of CVE-2022-30190, beginning with Malicious Documents interacting with the Microsoft Support Detection Tool process to the process creation events of SDiagNHost and the possibly malicious payload.
Recommendations
Threat Labs recommends that readers assess the potential exposure in their environment, use the queries provided to hunt for exploitation, better understand the mechanisms involved in the exploitation of CVE-2022-30190, and hunt for possible malicious activity. Sumo Logic Cloud SIEM Enterprise customers have access to the above rules, providing detection opportunities for customers with Process Creation events.
On June 14th, Microsoft included an update for CVE-2022-30190 with the June patch Tuesday release. Please reference updated guidance from Microsoft on the vulnerability here (CVE reference).
References
https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
https://www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug
https://twitter.com/neonprimetime/status/1531719870378811398
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190
https://isc.sans.edu/forums/diary/First+Exploitation+of+Follina+Seen+in+the+Wild/28698/
https://www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug
https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/
Complete visibility for DevSecOps
Reduce downtime and move from reactive to proactive monitoring.
