For details on cookie usage on our site, read our Privacy Policy
CVE-2022-30190 - Microsoft Support Diagnostic Tool Vulnerability
- LIVEcommunity
- Discussions
- Security Operations
- Cortex XDR Discussions
- CVE-2022-30190 - Microsoft Support Diagnostic Tool Vulnerability
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
CVE-2022-30190 - Microsoft Support Diagnostic Tool Vulnerability
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-31-2022 05:35 AM
Does Cortex XDR Prevent protect against CVE-2022-30190 (Microsoft Support Diagnostic Tool Vulnerability)?
Thank you!
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-31-2022 06:53 AM
Hello,
hope it's ok to attach mine, as it is the same issue/idea...
If this would work, your issue would be resolved as well:
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-31-2022 06:53 AM
I haven't seen anything from Palo Alto yet.
We are using the following XQL query to detect attacks, obviously it is a little bit rough and any improvement is welcome
dataset = xdr_data
| filter action_process_image_name contains "msdt.exe"
| filter action_process_image_command_line contains "PCWDiagnostic" and action_process_image_command_line contains "IT_RebrowseForFile"
| fields _time, agent_hostname as host, actor_effective_username as user, actor_process_image_path as parent_process, action_process_image_path as executed , action_process_image_command_line as command_line
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-31-2022 07:00 AM
@MartinPfeil : good idea, well done query. but you cannot prevent with it.
That's the reason i'd love to see a hashblock for msdt.exe...
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-31-2022 07:09 AM
The problem could then be, that there could be different versions with different hashes...
I just disabled the Diagnostics using a group policy which seems a better approach for me.
- Vulnerability Assessment - missing CVE? in Cortex XDR Discussions
- export/view information about Windows endpoints missing with KB in Cortex XDR Discussions
- Vulnerability Assessment Applications / host insights addon in Cortex XDR Discussions
- XQL or API access to Vulnerability Assessments in Cortex XDR Discussions
- Cortex XDR PoC Lab ft. CVE-2021-3560 in Cortex XDR Discussions
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
