topic CVE-2022-30190 - Microsoft Support Diagnostic Tool Vulnerability in Cortex XDR Discussions

CVE-2022-30190 - Microsoft Support Diagnostic Tool Vulnerability

NiekMeulendijks — Tue, 31 May 2022 12:35:18 GMT

Does Cortex XDR Prevent protect against CVE-2022-30190 (Microsoft Support Diagnostic Tool Vulnerability)?

Thank you!

Re: CVE-2022-30190 - Microsoft Support Diagnostic Tool Vulnerability

RonaldWeiss — Tue, 31 May 2022 13:53:28 GMT

Hello,

hope it's ok to attach mine, as it is the same issue/idea...

If this would work, your issue would be resolved as well:

https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-does-not-block-windows-binaries/td-p/495153

Re: CVE-2022-30190 - Microsoft Support Diagnostic Tool Vulnerability

MartinPfeil — Tue, 31 May 2022 13:53:47 GMT

I haven't seen anything from Palo Alto yet.

We are using the following XQL query to detect attacks, obviously it is a little bit rough and any improvement is welcome

dataset = xdr_data
| filter action_process_image_name contains "msdt.exe"
| filter action_process_image_command_line contains "PCWDiagnostic" and action_process_image_command_line contains "IT_RebrowseForFile"
| fields _time, agent_hostname as host, actor_effective_username as user, actor_process_image_path as parent_process, action_process_image_path as executed , action_process_image_command_line as command_line

Re: CVE-2022-30190 - Microsoft Support Diagnostic Tool Vulnerability

RonaldWeiss — Tue, 31 May 2022 14:00:03 GMT

@MartinPfeil : good idea, well done query. but you cannot prevent with it.
That's the reason i'd love to see a hashblock for msdt.exe...

Re: CVE-2022-30190 - Microsoft Support Diagnostic Tool Vulnerability

SHoehne — Tue, 31 May 2022 14:09:53 GMT

The problem could then be, that there could be different versions with different hashes...

I just disabled the Diagnostics using a group policy which seems a better approach for me.

Re: CVE-2022-30190 - Microsoft Support Diagnostic Tool Vulnerability

RonaldWeiss — Tue, 31 May 2022 14:17:17 GMT

Thats true. That is why i first searched for all occuring msdt.exe and added all hashes 😉

As far as i see, disabling diagnistics doesn't seem to help here, as the binary is still there and handling urls.

The only "real" workaround, afaik, is to disable msdt url protocol, as stated by microsoft.

BUT you will have to do registry changes everwhere, and revert (if needed) later.

So, blocking the hashes in the meantime, until a patch is available, seemes to be the less invasive way to go...

Re: CVE-2022-30190 - Microsoft Support Diagnostic Tool Vulnerability

RonaldWeiss — Tue, 31 May 2022 14:49:29 GMT

FYI, some IOCs for this CVE, which might help:

New Microsoft Office Attack Vector via ms-msdt Protocol Scheme (CVE-2022-30190) - SANS Internet Storm Center - AlienVault - Open Threat Exchange

At least the initial malicious document is already recognized by Cortex/Wildfire:

4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784

Re: CVE-2022-30190 - Microsoft Support Diagnostic Tool Vulnerability

SHoehne — Tue, 31 May 2022 15:00:10 GMT

Hm, I'm not sure. I disabled both:

Scripted Diagnostics

and
Allow users to access and run Troubleshooting Wizards

Let's see if there will be another way to block this with Cortex soon...

Update - looks like a legit workaround:

To disable the exploit

Group Policy

You can disable this via GPO (which is a fully supported method vs the reg hacks)

you do this via registry:

reg add “HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics” /t REG_DWORD /v EnableDiagnostics /d 0

https://www.pwndefend.com/2022/05/30/office-microsoft-support-diagnostic-tool-msdt-vulnerability-follina/

Re: CVE-2022-30190 - Microsoft Support Diagnostic Tool Vulnerability

ZAB3115 — Tue, 31 May 2022 17:22:21 GMT

The following queries can be executed for hunting successful exploitation:

// msdt.exe execution with suspicious argument
config case_sensitive = false timeframe = 30d
| dataset = xdr_data
| filter event_type = ENUM.PROCESS and action_process_image_command_line contains "msdt.exe" and action_process_image_command_line contains "it_browseforfile"
| fields agent_hostname , action_process_image_command_line , action_process_image_path , actor_process_command_line , actor_process_image_path , causality_actor_process_image_path

// office processes spawning msdt.exe
config case_sensitive = false timeframe = 30d
| dataset = xdr_data
| filter event_type = ENUM.PROCESS and action_process_image_command_line contains "msdt.exe" and actor_process_image_name in ("winword.exe", "powerpnt.exe", "excel.exe", "msaccess.exe","visio.exe","onenote.exe")
| fields agent_hostname , action_process_image_command_line , action_process_image_path , actor_process_command_line , actor_process_image_path , causality_actor_process_image_path

Re: CVE-2022-30190 - Microsoft Support Diagnostic Tool Vulnerability

Luc_Desaulniers — Tue, 31 May 2022 18:42:58 GMT

You could create a BIOC rule with that query and then assign this BIOC rule to a restriction profile so that it would prevent the action. It does the trick usually, keep in mind that BIOC rules aren't instantaneous, but depending of the actions, it usually reacts quickly enough to avoid most of the damage.

Re: CVE-2022-30190 - Microsoft Support Diagnostic Tool Vulnerability

Luc_Desaulniers — Tue, 31 May 2022 18:47:45 GMT

Great start on the query. Here's another way you could do this to avoid an and statement:

config case_sensitive = false
|dataset = xdr_data
|filter event_type = ENUM.PROCESS
|filter action_process_image_name = "msdt.exe" and action_process_image_command_line = "*PCWDiagnostic*IT_RebrowseForFile*"
|fields agent_hostname, action_process_username as User, action_process_image_name as Child_Process, action_process_image_path as Child_Path, action_process_image_command_line as Child_CMD_Line, action_process_image_sha256 as Child_SHA256, actor_process_image_name as Parent_Process, actor_process_image_path as Parent_Path, os_actor_process_command_line as Parent_CMD_Line

Re: CVE-2022-30190 - Microsoft Support Diagnostic Tool Vulnerability

RonaldWeiss — Wed, 01 Jun 2022 06:53:15 GMT

Hi @Luc_Desaulniers ,

thanks for the hint with the custom prevention rules. i really didnt think of that 🙂

works like a charm!

Re: CVE-2022-30190 - Microsoft Support Diagnostic Tool Vulnerability

parreira — Wed, 01 Jun 2022 09:29:30 GMT

https://unit42.paloaltonetworks.com/cve-2022-30190-msdt-code-execution-vulnerability/

mentions ""WildFire and Cortex XDR categorize all known samples we’ve come across as malware.""

Re: CVE-2022-30190 - Microsoft Support Diagnostic Tool Vulnerability

kcross — Thu, 02 Jun 2022 15:23:11 GMT

Please check out our latest blog post Prevention, Hunting and Playbooks for MSDT Zero-Day (CVE-2022-30190).