detect-office-applications-spawning-msdt-CVE-2022-30190

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Content Index

---

This query detects possible abuse of ms-msdt MSProtocol URI scheme to load and execute malicious code via Microsoft Support Diagnostic Tool Vulnerability (CVE-2022-30190). The following query detects when Microsoft Office software spawns an instance of the MSDT utility, msdt.exe. References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190 https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/ https://www.huntre

Attribute	Value
Type	Hunting Query
Solution	GitHub Only
ID	cd1c9815-1f2c-483e-a875-b81bfcc1489b
Tactics	Defense Evasion
Techniques	T1221
Required Connectors	MicrosoftThreatProtection
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Transformations	Ingestion API	Lake-Only
DeviceProcessEvents	✓	✗	?

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Hunting Queries