This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
CVE-2022-30190 - Microsoft Support Diagnostic Tool Vulnerability
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Discussions
- Security Operations
- Cortex XDR Discussions
- Re: CVE-2022-30190 - Microsoft Support Diagnostic Tool Vulnerability
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
CVE-2022-30190 - Microsoft Support Diagnostic Tool Vulnerability
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-31-2022 05:35 AM
Does Cortex XDR Prevent protect against CVE-2022-30190 (Microsoft Support Diagnostic Tool Vulnerability)?
Thank you!
13 REPLIES 13
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-31-2022 11:47 AM
Great start on the query. Here's another way you could do this to avoid an and statement:
config case_sensitive = false
|dataset = xdr_data
|filter event_type = ENUM.PROCESS
|filter action_process_image_name = "msdt.exe" and action_process_image_command_line = "*PCWDiagnostic*IT_RebrowseForFile*"
|fields agent_hostname, action_process_username as User, action_process_image_name as Child_Process, action_process_image_path as Child_Path, action_process_image_command_line as Child_CMD_Line, action_process_image_sha256 as Child_SHA256, actor_process_image_name as Parent_Process, actor_process_image_path as Parent_Path, os_actor_process_command_line as Parent_CMD_Line
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-31-2022 11:53 PM
Hi @Luc_Desaulniers ,
thanks for the hint with the custom prevention rules. i really didnt think of that 🙂
works like a charm!
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-01-2022 02:29 AM
https://unit42.paloaltonetworks.com/cve-2022-30190-msdt-code-execution-vulnerability/
mentions ""WildFire and Cortex XDR categorize all known samples we’ve come across as malware.""
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-02-2022 08:23 AM
Please check out our latest blog post Prevention, Hunting and Playbooks for MSDT Zero-Day (CVE-2022-30190).
Related Content
- Vulnerability Assessment - missing CVE? in Cortex XDR Discussions
- export/view information about Windows endpoints missing with KB in Cortex XDR Discussions
- Vulnerability Assessment Applications / host insights addon in Cortex XDR Discussions
- XQL or API access to Vulnerability Assessments in Cortex XDR Discussions
- Cortex XDR PoC Lab ft. CVE-2021-3560 in Cortex XDR Discussions
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks