This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
CVE-2022-30190 - Microsoft Support Diagnostic Tool Vulnerability
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Discussions
- Security Operations
- Cortex XDR Discussions
- CVE-2022-30190 - Microsoft Support Diagnostic Tool Vulnerability
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
CVE-2022-30190 - Microsoft Support Diagnostic Tool Vulnerability
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-31-2022 05:35 AM
Does Cortex XDR Prevent protect against CVE-2022-30190 (Microsoft Support Diagnostic Tool Vulnerability)?
Thank you!
13 REPLIES 13
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-31-2022 07:17 AM
Thats true. That is why i first searched for all occuring msdt.exe and added all hashes 😉
As far as i see, disabling diagnistics doesn't seem to help here, as the binary is still there and handling urls.
The only "real" workaround, afaik, is to disable msdt url protocol, as stated by microsoft.
BUT you will have to do registry changes everwhere, and revert (if needed) later.
So, blocking the hashes in the meantime, until a patch is available, seemes to be the less invasive way to go...
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-31-2022 07:49 AM
FYI, some IOCs for this CVE, which might help:
At least the initial malicious document is already recognized by Cortex/Wildfire:
4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-31-2022 07:53 AM - edited 05-31-2022 08:00 AM
Hm, I'm not sure. I disabled both:
Scripted Diagnostics
and
Allow users to access and run Troubleshooting Wizards
Let's see if there will be another way to block this with Cortex soon...
Update - looks like a legit workaround:
To disable the exploit
Group Policy
You can disable this via GPO (which is a fully supported method vs the reg hacks)
you do this via registry:
reg add “HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics” /t REG_DWORD /v EnableDiagnostics /d 0
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-31-2022 10:22 AM
The following queries can be executed for hunting successful exploitation:
// msdt.exe execution with suspicious argument
config case_sensitive = false timeframe = 30d
| dataset = xdr_data
| filter event_type = ENUM.PROCESS and action_process_image_command_line contains "msdt.exe" and action_process_image_command_line contains "it_browseforfile"
| fields agent_hostname , action_process_image_command_line , action_process_image_path , actor_process_command_line , actor_process_image_path , causality_actor_process_image_path
// office processes spawning msdt.exe
config case_sensitive = false timeframe = 30d
| dataset = xdr_data
| filter event_type = ENUM.PROCESS and action_process_image_command_line contains "msdt.exe" and actor_process_image_name in ("winword.exe", "powerpnt.exe", "excel.exe", "msaccess.exe","visio.exe","onenote.exe")
| fields agent_hostname , action_process_image_command_line , action_process_image_path , actor_process_command_line , actor_process_image_path , causality_actor_process_image_path
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-31-2022 11:42 AM
You could create a BIOC rule with that query and then assign this BIOC rule to a restriction profile so that it would prevent the action. It does the trick usually, keep in mind that BIOC rules aren't instantaneous, but depending of the actions, it usually reacts quickly enough to avoid most of the damage.
Related Content
- Vulnerability in Cortex XDR Discussions
- Vulnerability Assessment - missing CVE? in Cortex XDR Discussions
- export/view information about Windows endpoints missing with KB in Cortex XDR Discussions
- Vulnerability Assessment Applications / host insights addon in Cortex XDR Discussions
- XQL or API access to Vulnerability Assessments in Cortex XDR Discussions
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks