Query Details
Device Msdt Potential Exploit
Query
//Detections based on the emerging information found here - https://twitter.com/nao_sec/status/1530196847679401984, https://twitter.com/GossiTheDog/status/1531018365606707206 and https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
//Microsoft Sentinel queries
//Search your device process events for msdt.exe being generated by Outlook, Word or Excel - should be low noise and high value alerts, seems very rare behaviour
DeviceProcessEvents
| where ProcessCommandLine contains "msdt.exe" and InitiatingProcessCommandLine has_any ("outlook.exe", "winword.exe", "excel.exe")
//Search your device process events for msdt.exe spawning processes other than itself
DeviceProcessEvents
| where InitiatingProcessCommandLine contains "msdt.exe" and ProcessCommandLine !contains "msdt.exe"
//Likely to get false positives with msdt.exe spawning a process other than itself, so instead look for new events seen today for the first time based on distinct process and parent process
DeviceProcessEvents
| where TimeGenerated > ago (30d) and TimeGenerated < ago(1d)
| project InitiatingProcessCommandLine, ProcessCommandLine
| where InitiatingProcessCommandLine contains "msdt.exe" and ProcessCommandLine !contains "msdt.exe"
| distinct InitiatingProcessCommandLine, ProcessCommandLine
| join kind=rightanti
(
DeviceProcessEvents
| where TimeGenerated > ago (1d)
| where InitiatingProcessCommandLine contains "msdt.exe" and ProcessCommandLine !contains "msdt.exe"
)
on InitiatingProcessCommandLine, ProcessCommandLine
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine
//Look for new public connections from "sdiagnhost.exe" or "msdt.exe" as per https://twitter.com/MalwareJake/status/1531088843792957442
//"sdiagnhost.exe" legimitately connects to some internet endpoints as part of Microsoft telemetry so find events new to today to investigate
let knownips=
DeviceNetworkEvents
| where TimeGenerated > ago(30d) and TimeGenerated < ago(1d)
| where InitiatingProcessFileName has_any ("sdiagnhost.exe", "msdt.exe")
| where RemoteIPType == "Public"
| distinct RemoteIP;
DeviceNetworkEvents
| where TimeGenerated > ago(1d)
| where InitiatingProcessFileName has_any ("sdiagnhost.exe", "msdt.exe")
| where RemoteIPType == "Public"
| where RemoteIP !in (knownips)
| project
TimeGenerated,
ActionType,
DeviceName,
InitiatingProcessAccountName,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
LocalIP,
RemoteIP,
RemotePort,
RemoteUrl
//Advanced Hunting queries
//Search your device process events for msdt.exe being generated by Outlook, Word or Excel - should be low noise and high value alerts, seems very rare behaviour
DeviceProcessEvents
| where ProcessCommandLine contains "msdt.exe" and InitiatingProcessCommandLine has_any ("outlook.exe", "winword.exe", "excel.exe")
//Search your device process events for msdt.exe spawning processes other than itself
DeviceProcessEvents
| where InitiatingProcessCommandLine contains "msdt.exe" and ProcessCommandLine !contains "msdt.exe"
//Likely to get false positives with msdt.exe spawning a process other than itself, so instead look for new events seen today for the first time based on distinct process and parent process
DeviceProcessEvents
| where Timestamp > ago (30d) and Timestamp < ago(1d)
| project InitiatingProcessCommandLine, ProcessCommandLine
| where InitiatingProcessCommandLine contains "msdt.exe" and ProcessCommandLine !contains "msdt.exe"
| distinct InitiatingProcessCommandLine, ProcessCommandLine
| join kind=rightanti
(
DeviceProcessEvents
| where Timestamp > ago (1d)
| where InitiatingProcessCommandLine contains "msdt.exe" and ProcessCommandLine !contains "msdt.exe"
)
on InitiatingProcessCommandLine, ProcessCommandLine
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine
//Look for new public connections from "sdiagnhost.exe" or "msdt.exe" as per https://twitter.com/MalwareJake/status/1531088843792957442
//"sdiagnhost.exe" legimitately connects to some internet endpoints as part of Microsoft telemetry so find events new to today to investigate
let knownips=
DeviceNetworkEvents
| where Timestamp > ago(30d) and Timestamp < ago(1d)
| where InitiatingProcessFileName has_any ("sdiagnhost.exe", "msdt.exe")
| where RemoteIPType == "Public"
| distinct RemoteIP;
DeviceNetworkEvents
| where Timestamp > ago(1d)
| where InitiatingProcessFileName has_any ("sdiagnhost.exe", "msdt.exe")
| where RemoteIPType == "Public"
| where RemoteIP !in (knownips)
| where RemoteUrl !endswith ".visualstudio.com" and RemoteUrl !endswith ".microsoft.com"
| project
Timestamp,
ActionType,
DeviceName,
InitiatingProcessAccountName,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
LocalIP,
RemoteIP,
RemotePort,
RemoteUrl
Explanation
The query is searching for specific behaviors and events related to the processes "msdt.exe", "outlook.exe", "winword.exe", "excel.exe", "sdiagnhost.exe" in order to detect potential security threats.
-
The first part of the query searches for device process events where "msdt.exe" is generated by Outlook, Word, or Excel.
-
The second part searches for device process events where "msdt.exe" spawns processes other than itself.
-
The third part looks for new events seen today for the first time based on distinct process and parent process, to avoid false positives.
-
The fourth part searches for new public connections from "sdiagnhost.exe" or "msdt.exe" and excludes known IP addresses to investigate potential threats.
The query is designed to identify unusual and potentially malicious activity related to these processes.
Details
Matt Zorich
Released: June 2, 2022
Tables
DeviceProcessEventsDeviceNetworkEvents
Keywords
DeviceProcessEvents,ProcessCommandLine,InitiatingProcessCommandLine,Outlook.exe,Winword.exe,Excel.exe,msdt.exe,TimeGenerated,DeviceName,InitiatingProcessAccountName,DeviceNetworkEvents,RemoteIPType,RemoteIP,knownips,sdiagnhost.exe,Timestamp,RemoteUrl,Visualstudio.com,Microsoft.com,ActionType,LocalIP,RemotePort
Operators
containshas_any!contains><agoprojectdistinctjoinkind=rightantiinletwherehas_any==!in!endswith