archanchoudhury/MSDT_CVE-2022-30190

This Repository Talks about the Follina MSDT from Defender Perspective

MSDT_CVE-2022-30190

This Repository Talks about the Follina MSDT from Defender Perspective

Index

• About
• Timeline
• Understanding the Exploit
• List of IOCs
• Detection Strategy
• Testing and Researching
• Mitigation Plans
• References

About

The bug is a Microsoft Windows Support Diagnostic Tool (MSDT) remote code execution vulnerability reported by crazyman of the Shadow Chaser Group. Microsoft is now tracking it as CVE-2022-30190. The flaw impacts all Windows versions still receiving security updates (Windows 7+ and Server 2008+).

As security researcher nao_sec found, it is used by threat actors to execute malicious PowerShell commands via MSDT in what Redmond describes as Arbitrary Code Execution (ACE) attacks when opening or previewing Word documents.

"An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application," Microsoft explains.

Timeline

• April 12th 2022 — First report to Microsoft MSRC, by leader of Shadowchasing1, an APT hunting group. This document is an in the wild, real world exploit targeting Russia, themed as a Russian job interview.
• April 21st 2022 — Microsoft MSRC closed the ticket saying not a security related issue (for the record, msdt executing with macros disabled is an issue)
• May ?? 2022 — Microsoft may have tried to fix this or accidentally fixed it in Office 365 Insider channel, without documenting a CVE or writing it down anywhere. The other products remain vulnerable.
• May 27th 2022 — Security vendor Nao tweet a document uploaded from Belarus, which is also an in the wild attack.
• May 27th 2022 — Reported back to MSRC.
• May 29th 2022 — Andy Ful identified this was a zero day publicly as it still works against Office 365 Semi Annual channel, and ‘on prem’ Office versions and EDR products are failing to detect.

Understanding-the-Exploit

• You can refer the Huntress Blog HERE to understand the full deatils of working principle of this explit.
• Watch this VIDEO for understanding the exploit and it's remediation.

List-of-IOCs

• Main object - 05-2022-0438.doc
  • sha256 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
  • sha1 06727ffda60359236a8029e0b3e8a0fd11c23313
  • md5 52945af1def85b171870b31fa4782e52
• Dropped executable file
  • sha256 C:\Users\admin\AppData\Local\Temp\SDIAG_ecb8c0a2-7a1e-4b6c-8ae0-2245f03bcc15\DiagPackage.dll 3218488d62cb0858101d2ec63ec73a032bc9787f5f87cb46abbea4477c97b16f
  • sha256 C:\Users\admin\AppData\Local\Temp\SDIAG_ecb8c0a2-7a1e-4b6c-8ae0-2245f03bcc15\en-US\DiagPackage.dll.mui c6d837ec0850e22c83b400fcded1791a2f4f99f0c56d6fc7d93e92a8b72c098d
  • sha256 C:\Users\admin\AppData\Local\Temp\r5qxr4ie.dll aa967ae9f6d80bdbd0f315defa17aaee0e756e7e2ad0e5261d8254bc0af1cc02
  • sha256 C:\Users\admin\AppData\Local\Temp\t52wyhbe.dll daf716cbe8810085251e6ef1e39869a9e61d929fac12ea5684c3b2caf993666b
  • sha256 C:\Users\admin\AppData\Local\Temp\qtwoghs1.dll f5361b6c9db8ac25433ae21f9a7b6490cc372ce2b1f802e2b06d5b904ce97109
• DNS requests
  • domain www[.]xmlformats[.]com
• Connections
  • ip 141.105.65.149
  • ip 20.42.65.85
  • ip 13.107.42.16
• HTTP/HTTPS requests
  • url hxxps://www[.]xmlformats[.]com/office/word/2022/wordprocessingDrawing/
  • url hxxps://www[.]xmlformats[.]com/office/word/2022/
  • url hxxps://www[.]xmlformats[.]com/office/word/2022/wordprocessingDrawing/RDF842l[.]html

Detection-Strategy

• For doing Threat Hunt you can find the Sigma Rule HERE

• Below are the Detection Rules which can be further tuned. Kudos to Bala Ganesh. Full article can be found HERE

• MS Defender:

DeviceProcessEvents | where ((ProcessCommandLine contains "WINWORD.EXE") and (ProcessCommandLine contains "msdt.exe") and (ProcessCommandLine contains "sdiagnhost.exe" or ProcessCommandLine contains "csc.exe" or ProcessCommandLine contains "PCWDiagnostic" or ProcessCommandLine contains "IT_ReBrowserForFile" or ProcessCommandLine contains "IT_BrowserForFile" or ProcessCommandLine contains "conhost.exe"))

• Splunk:

[Doc Malware]
alert.severity = 2
description = Detection (Rule ID: 74566a6a66aaasdq2ed)
cron_schedule = 0 * * * *
disabled = 1
is_scheduled = 1
is_visible = 1
dispatch.earliest_time = -60m@m
dispatch.latest_time = now
search = (source="WinEventLog:*" AND (CommandLine="*WINWORD.EXE*") AND (CommandLine="*msdt.exe*") AND (CommandLine="*sdiagnhost.exe*" OR CommandLine="*csc.exe*" OR CommandLine="*PCWDiagnostic*" OR CommandLine="*IT_ReBrowserForFile*" OR CommandLine="*IT_BrowserForFile*" OR CommandLine="*conhost.exe*"))
alert.suppress = 0
alert.track = 1

• Qradar:

SELECT UTF8(payload) from events where LOGSOURCETYPENAME(devicetype)='Microsoft Windows Security Event Log' and ("Process CommandLine" ilike '%WINWORD.EXE%') and ("Process CommandLine" ilike '%msdt.exe%') and ("Process CommandLine" ilike '%sdiagnhost.exe%' or "Process CommandLine" ilike '%csc.exe%' or "Process CommandLine" ilike '%PCWDiagnostic%' or "Process CommandLine" ilike '%IT_ReBrowserForFile%' or "Process CommandLine" ilike '%IT_BrowserForFile%' or "Process CommandLine" ilike '%conhost.exe%')

• GrayLog

(CommandLine.keyword:*WINWORD.EXE* AND CommandLine.keyword:*msdt.exe* AND CommandLine.keyword:(*sdiagnhost.exe* *csc.exe* *PCWDiagnostic* *IT_ReBrowserForFile* *IT_BrowserForFile* *conhost.exe*))
Sumologic
(_sourceCategory=*windows* AND (CommandLine = "*WINWORD.EXE*") AND (CommandLine = "*msdt.exe*") AND (CommandLine = "*sdiagnhost.exe*" OR CommandLine = "*csc.exe*" OR CommandLine = "*PCWDiagnostic*" OR CommandLine = "*IT_ReBrowserForFile*" OR CommandLine = "*IT_BrowserForFile*" OR CommandLine = "*conhost.exe*"))

• Elastic KQL:

(process.command_line:*WINWORD.EXE* AND process.command_line:*msdt.exe* AND process.command_line:(*sdiagnhost.exe* OR *csc.exe* OR *PCWDiagnostic* OR *IT_ReBrowserForFile* OR *IT_BrowserForFile* OR *conhost.exe*))

Below query described by Brent Murphy HERE can also be applied

process where event.type in ("start" , "process_created") and (process.pe.original_file_name : "msdt.exe" or process.name : "msdt.exe") and (process.parent.pe.original_file_name : ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe") or process.parent.name : ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe"))

• You can hunt for this attack using XQL Search in Cortex XDR: Find more HERE

# office processes spawning msdt.exe

config case_sensitive = false timeframe = 30d
| dataset = xdr_data
| filter event_type = ENUM.PROCESS and action_process_image_command_line contains "msdt.exe" and actor_process_image_name in ("winword.exe", "powerpnt.exe", "excel.exe", "msaccess.exe","visio.exe","onenote.exe","powershell.exe")
| fields agent_hostname , action_process_image_command_line , action_process_image_path , actor_process_command_line , actor_process_image_path , causality_actor_process_image_path

# msdt.exe execution with suspicious argument

config case_sensitive = false timeframe = 30d
| dataset = xdr_data
| filter event_type = ENUM.PROCESS and action_process_image_command_line contains "msdt.exe" and
action_process_image_command_line contains "it_browseforfile"
| fields agent_hostname , action_process_image_command_line , action_process_image_path , actor_process_command_line , actor_process_image_path , causality_actor_process_image_path

• In addition to hunting for the behavior, it would be also useful to query the registry key- HKEY_USERS*SID\SOFTWARE\Microsoft\Office\16.0\Common\Internet\Server Cache* on scale and analyze the results! Refer the full post HERE
• Velociraptor has created a detection logic HERE to identify Return Office Internet Server Cache Registry keys and values in order to identify possible C2 URLs from malicious opened Office documents.
• A YARA rule developed by Joe Security can be found HERE
• Crowdstrike Query can be done as below-

index=main (ProcessRollup2 OR SyntheticProcessRollup2 OR ProcessBlocked*) ParentBaseFileName IN ("OUTLOOK.EXE","WINWORD.EXE","EXCEL.EXE") CommandLine="*msdt.exe*"
| table ComputerName ParentBaseFileName CommandLine FileName

• The "PCW.debugreport.xml" file inside %localappdata%\Diagnostics and %localappdata%\ElevatedDiagnostics (for elevated instances) is generated when executing it and it contains the payload. Check it HERE
• Current iterations of the proof of concept will invoke msdt.exe from a Microsoft Office application. A generalized hunting query for Crowdstrike Falcon can be found here:

index=main sourcetype=ProcessRollup* event_simpleName=ProcessRollup2
| search ParentBaseFileName IN (winword.exe, excel.exe, powerpnt.exe, outlook.exe) 
| search FileName=msdt.exe
| table _time, aid, ComputerName, UserName, UserSid_readable, ParentBaseFileName, FileName, CommandLine
| lookup local=true aid_master aid OUTPUT AgentVersion, Version, MachineDomain, OU, SiteName

• To further profile and baseline normal msdt.exe usage in your environment, the following query can be used on Crowdstrike Falcon:

index=main sourcetype=ProcessRollup* event_simpleName=ProcessRollup2
| search FileName=msdt.exe
| eval FileName=lower(FileName)
| eval ParentBaseFileName=lower(ParentBaseFileName)
| stats dc(aid) as endpointCount, count(aid) as executionCount by FileName, ParentBaseFileName
| sort -executionCount

• Elastic Security Team updated existing rules for the SIEM and added a new one for the msdt.exe as a lolbin. Check out the Detection Rule1 and Rule2
• If you are using MS Sentinel, you can use below-

#Detects the exploitation of Follina Microsoft Code Execution vulnerability

SecurityEvent 
| where EventID==4688 
| where ParentProcessName has_any ('winword.exe','excel.exe','outlook.exe') 
| where NewProcessName contains "msdt.exe" or CommandLine contains "msdt.exe"
| project TimeGenerated, NewProcessId, NewProcessName, ParentProcessName, CommandLine, EventID, Activity, Computer

#The below query could return false-positives please verify the output and modify the query according to your environment.

SecurityEvent 
| where EventID==4688 
| where ParentProcessName has_any ('sdiagnhost.exe', 'msdt.exe')
//| where NewProcessName contains "powershell" or NewProcessname contains "cmd.exe"  //optional: you can include this line for directly finding powershell or cmd process spawns
| project TimeGenerated, NewProcessId, NewProcessName, ParentProcessName, CommandLine, EventID, Activity, Computer

Testing-and-Researching

⚠⚠PLEASE USE BELOW ONLY FOR RESEARCH AND LEARNING PURPOSE

• Leverage the attached SAMPLES
• Leverage the awesome codes and platform created by John Hammond HERE
• Weapnized CVE-2021-40444 can be found HERE
• Leverage this POC created by Cas van Cooten HERE

Mitigation-Plans

• Removing the protocol handler for ms-msdt is likely the safest mitigation vector until there’s an official response from Microsoft. We have not tested this method in large enterprises, so there may be some secondary effects of widely disabling the protocol handler. However, considering the implications of successful exploitation (arbitrary code execution), this seems like a reasonable risk-based approach (at least on any systems where Office documents are opened). Removing the protocol handler is as simple as executing the following command in an elevated command prompt:

reg delete HKEY_CLASSES_ROOT\ms-msdt /f

***Note that you should back up contents of this key before deleting contents so it can be merged back into the registry once a patch is available.

• You can use below PS script to achieve the registry modification. Credite to Kelvin Tegelaar

$ENV:ActivateWorkaround = "Yes"
if($ENV:ActivateWorkaround -eq "Yes") {
    New-PSDrive -PSProvider registry -Root HKEY_CLASSES_ROOT -Name HKCR
    Set-Item -Path "HKCR:\ms-msdt" -Value "URL:ms-msdt_bak"
    Rename-Item -Path "HKCR:\ms-msdt" -newName "ms-msdt_bak"
} else {
    New-PSDrive -PSProvider registry -Root HKEY_CLASSES_ROOT -Name HKCR
    Rename-Item -Path "HKCR:\ms-msdt_bak" -newName "ms-msdt"

    Set-Item -Path "HKCR:\ms-msdt" -Value "URL:ms-msdt"
}

• Educate your users ALWAYS report any email containing attachements and DO NOT OPEN IT. This vulnerabiity can be exploited even just hovering over. So the end users MUST BE CAUTIOUS.
• If utilizing Microsoft Defender’s Attack Surface Reduction (ASR) rules in your environment, activating the rule “Block all Office applications from creating child processes” in Block mode will prevent this from being exploited. However, if you’re not yet using ASR you may wish to run the rule in Audit mode first and monitor the outcome to ensure there’s no adverse impact on end users.

References

• https://thehackernews.com/2022/05/watch-out-researchers-spot-new.html
• https://reaqta.com/2022/05/threat-analysis-msdt-exploit-with-maldocs/
• https://www.joesandbox.com/analysis/636202/0/html
• https://www.bleepingcomputer.com/news/microsoft/microsoft-shares-mitigation-for-office-zero-day-exploited-in-attacks/
• https://nakedsecurity.sophos.com/2022/05/31/mysterious-follina-zero-day-hole-in-office-what-to-do/
• https://www.theregister.com/2022/05/30/follina_microsoft_office_vulnerability/
• https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
• https://unit42.paloaltonetworks.com/cve-2022-30190-msdt-code-execution-vulnerability/