For details on cookie usage on our site, read our Privacy Policy
CVE-2022-30190 - Microsoft Support Diagnostic Tool Vulnerability
- LIVEcommunity
- Discussions
- Security Operations
- Cortex XDR Discussions
- Re: CVE-2022-30190 - Microsoft Support Diagnostic Tool Vulnerability
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
CVE-2022-30190 - Microsoft Support Diagnostic Tool Vulnerability
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-31-2022 05:35 AM
Does Cortex XDR Prevent protect against CVE-2022-30190 (Microsoft Support Diagnostic Tool Vulnerability)?
Thank you!
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-31-2022 07:17 AM
Thats true. That is why i first searched for all occuring msdt.exe and added all hashes 😉
As far as i see, disabling diagnistics doesn't seem to help here, as the binary is still there and handling urls.
The only "real" workaround, afaik, is to disable msdt url protocol, as stated by microsoft.
BUT you will have to do registry changes everwhere, and revert (if needed) later.
So, blocking the hashes in the meantime, until a patch is available, seemes to be the less invasive way to go...
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-31-2022 07:49 AM
FYI, some IOCs for this CVE, which might help:
At least the initial malicious document is already recognized by Cortex/Wildfire:
4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-31-2022 07:53 AM - edited 05-31-2022 08:00 AM
Hm, I'm not sure. I disabled both:
Scripted Diagnostics
and
Allow users to access and run Troubleshooting Wizards
Let's see if there will be another way to block this with Cortex soon...
Update - looks like a legit workaround:
To disable the exploit
Group Policy
You can disable this via GPO (which is a fully supported method vs the reg hacks)
you do this via registry:
reg add “HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics” /t REG_DWORD /v EnableDiagnostics /d 0
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-31-2022 10:22 AM
The following queries can be executed for hunting successful exploitation:
// msdt.exe execution with suspicious argument
config case_sensitive = false timeframe = 30d
| dataset = xdr_data
| filter event_type = ENUM.PROCESS and action_process_image_command_line contains "msdt.exe" and action_process_image_command_line contains "it_browseforfile"
| fields agent_hostname , action_process_image_command_line , action_process_image_path , actor_process_command_line , actor_process_image_path , causality_actor_process_image_path
// office processes spawning msdt.exe
config case_sensitive = false timeframe = 30d
| dataset = xdr_data
| filter event_type = ENUM.PROCESS and action_process_image_command_line contains "msdt.exe" and actor_process_image_name in ("winword.exe", "powerpnt.exe", "excel.exe", "msaccess.exe","visio.exe","onenote.exe")
| fields agent_hostname , action_process_image_command_line , action_process_image_path , actor_process_command_line , actor_process_image_path , causality_actor_process_image_path
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-31-2022 11:42 AM
You could create a BIOC rule with that query and then assign this BIOC rule to a restriction profile so that it would prevent the action. It does the trick usually, keep in mind that BIOC rules aren't instantaneous, but depending of the actions, it usually reacts quickly enough to avoid most of the damage.
- Vulnerability Assessment - missing CVE? in Cortex XDR Discussions
- export/view information about Windows endpoints missing with KB in Cortex XDR Discussions
- Vulnerability Assessment Applications / host insights addon in Cortex XDR Discussions
- XQL or API access to Vulnerability Assessments in Cortex XDR Discussions
- Cortex XDR PoC Lab ft. CVE-2021-3560 in Cortex XDR Discussions
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
