CVE-2022-30190 - MSDT RCE

On **May 27th**, a new Microsoft Office Zero-Day was discovered by [Nao_sec](https://twitter.com/nao_sec). The new Zero-Day is a remote code execution vulnerability that exists when MSDT is called using the URL protocol from a calling application such as Word. On **May 30th**, Microsoft assigned **CVE-2022-30190** to the MSDT vulnerability, aka **Follina vulnerability**. This playbook includes the following tasks: * Collect detection rules. * Exploitation patterns hunting using Cortex XDR - XQL Engine and 3rd party SIEM products. * Cortex XDR BIOCs coverage. * Provides Microsoft workarounds and detection capabilities. **More information:** [Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability ](https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/) **Note:** This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

CVE-2022-30190 - MSDT RCE · 45 tasks · 8 inputs · 0 outputs

Inputs

  • SplunkIndex — Splunk's index name in which to search. Default is "*" - All.
  • SplunkEarliestTime — Splunk's earliest time to search.
  • SplunkLatestTime — Splunk's latest time to search.
  • ElasticIndex — Elastic's index name in which to search.
  • QRadarTimeRange — QRadar's query time range.
  • PlaybookDescription — The playbook's description.
  • RunXQLHuntingQueries — Whether to execute the XQL queries.
  • RelatedCVEs — Follina vulnerability CVE reference.

Commands used

associateIndicatorsToIncident closeInvestigation createNewIndicator extractIndicators search splunk-search xdr-get-alerts xdr-xql-generic-query

Flowchart

true false true true true false true true true false false true false true Start Start Download Sigma Rules - http Download Sigma Rules http Collect Detection Rules Collect Detection Rules Threat Hunting Threat Hunting SIEM Advanced Hunting SIEM Advanced Hunting Is Splunk Enabled? - IsIntegrationAvailable Is Splunk Enabled? IsIntegrationAvailable Is QRadar Enabled? Is QRadar Enabled? Splunk search for new Lolbin process by Office applications - splunk-search Splunk search for new Lol... splunk-search QRadar search for new Lolbin process by Office applications - QRadarFullSearch QRadar search for new Lol... QRadarFullSearch Elastic search for new Lolbin process by Office applications - search Elastic search for new Lo... search Cortex XDR - XQL Hunting Queries Cortex XDR - XQL Hunting ... Should run XQL hunting queries? Should run XQL hunting qu... Check if Cortex XDR - XQL Query Engine is Enabled - IsIntegrationAvailable Check if Cortex XDR - XQL... IsIntegrationAvailable Is Elastic Enabled? - IsIntegrationAvailable Is Elastic Enabled? IsIntegrationAvailable Cortex XDR - Post-Detection Hunting Cortex XDR - Post-Detecti... Is Cortex XDR - Investigation and Response enabled? - IsIntegrationAvailable Is Cortex XDR - Investiga... IsIntegrationAvailable Hunt for detected MSDT signatures - xdr-get-alerts Hunt for detected MSDT si... xdr-get-alerts Splunk Indicator Hunting - Splunk Indicator Hunting Splunk Indicator Hunting Splunk Indicator Hunting QRadar Indicator Hunting V2 - QRadar Indicator Hunting V2 QRadar Indicator Hunting V2 QRadar Indicator Hunting V2 Mitigation Mitigation Recommended Workarounds Recommended Workarounds Deploy Detection Rules Deploy Detection Rules Office spawns a child process with a protocol handler path traversal - xdr-xql-generic-query Office spawns a child pro... xdr-xql-generic-query Disable the MSDT URL Protocol Disable the MSDT URL Prot... Create an ASL rule to prevent Office child-processes creation Create an ASL rule to pre... Sigma Rules Sigma Rules Analysis resolution - Should continue with the investigation? Analysis resolution - Sho... Done Done Investigate Further Investigate Further Close Investigation - closeInvestigation Close Investigation closeInvestigation Resolution Resolution Splunk search for msdt.exe launching via the command line. - splunk-search Splunk search for msdt.ex... splunk-search msdt.exe execution with a suspicious argument - xdr-xql-generic-query msdt.exe execution with a... xdr-xql-generic-query Collect Indicators Collect Indicators Collect indicators from TALOS - ParseHTMLIndicators Collect indicators from T... ParseHTMLIndicators Extract Indicators Extract Indicators Extract Indicators From Data Collected - extractIndicators Extract Indicators From D... extractIndicators Tag and Link Indicators Tag and Link Indicators Link Indicators To Incident - associateIndicatorsToIncident Link Indicators To Incident associateIndicatorsToIncident Tag File indicators - createNewIndicator Tag File indicators createNewIndicator Tag CVE indicators - createNewIndicator Tag CVE indicators createNewIndicator Tag Domain indicators - createNewIndicator Tag Domain indicators createNewIndicator QRadar search for msdt.exe launching via the command line - QRadarFullSearch QRadar search for msdt.ex... QRadarFullSearch Handle Rapid Breach Response Layout Handle Rapid Breach Respo... Rapid Breach Response - Set Incident Info - Rapid Breach Response - Set Incident Info Rapid Breach Response - S... Rapid Breach Response - Set I...