CVE-2022-30190 - MSDT RCE
On **May 27th**, a new Microsoft Office Zero-Day was discovered by [Nao_sec](https://twitter.com/nao_sec). The new Zero-Day is a remote code execution vulnerability that exists when MSDT is called using the URL protocol from a calling application such as Word. On **May 30th**, Microsoft assigned **CVE-2022-30190** to the MSDT vulnerability, aka **Follina vulnerability**. This playbook includes the following tasks: * Collect detection rules. * Exploitation patterns hunting using Cortex XDR - XQL Engine and 3rd party SIEM products. * Cortex XDR BIOCs coverage. * Provides Microsoft workarounds and detection capabilities. **More information:** [Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability ](https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/) **Note:** This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
CVE-2022-30190 - MSDT RCE · 45 tasks · 8 inputs · 0 outputs
Inputs
SplunkIndex— Splunk's index name in which to search. Default is "*" - All.SplunkEarliestTime— Splunk's earliest time to search.SplunkLatestTime— Splunk's latest time to search.ElasticIndex— Elastic's index name in which to search.QRadarTimeRange— QRadar's query time range.PlaybookDescription— The playbook's description.RunXQLHuntingQueries— Whether to execute the XQL queries.RelatedCVEs— Follina vulnerability CVE reference.
Commands used
associateIndicatorsToIncident
closeInvestigation
createNewIndicator
extractIndicators
search
splunk-search
xdr-get-alerts
xdr-xql-generic-query