Detecting suspicious msdt.exe processes (Follina 0-day exploit)
  • 01 Jun 2022
  • Dark
    Light

Detecting suspicious msdt.exe processes (Follina 0-day exploit)

  • Dark
    Light

Article Summary

This article will explain how to create a rule in Elastic Security to detect behavior associated with the Follina 0-day exploit, specifically to detect instances of the Microsoft Diagnostic Tool spawning from Microsoft Office processes. This rule will use EQL (Event Query Language) to search for evidence of this behavior in collected data.

  1. In Kibana, open the navigation sidebar and select Security > Alerts
    Screen Shot 2022-05-31 at 9.51.36 AM.png
  2. On the resulting page, select Rules from the sidebar
    Screen Shot 2022-05-31 at 9.52.10 AM.png
  3. At the top right of the page, click on Create new rule
    Screen Shot 2022-05-31 at 9.52.32 AM.png
  4. This will bring you to the rule creation page. Start by selecting Event Correlation as the rule type
    Screen Shot 2022-05-31 at 9.53.09 AM.png
  5. Enter the following EQL query in the EQL query box that appears below and click continue:
process where event.type in ("start", "process_created") and
 (process.pe.original_file_name : "msdt.exe" or process.name : "msdt.exe") and
 (process.parent.pe.original_file_name : ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe") or
 process.parent.name : ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe"))

Screen Shot 2022-05-31 at 9.53.54 AM.png

  1. In the next section, enter a Name, Description, and Default severity for the newly created rule as you see fit, and then click Continue
    Screen Shot 2022-05-31 at 9.54.46 AM.png


  2. In the Rule actions section, set Actions frequency to "On each rule execution." This will ensure that the alert is triggered each time the behavior is detected.
  3. Under Actions, selected a connector type of your choice and enter the corresponding details. Make sure at least one connector is selected, so that an alert will be sent out upon detection.

Screen Shot 2022-05-31 at 9.56.40 AM.png

Optional Extra Step

If you would like to also detect Microsoft Diagnostic Tool execution from File Explorer, repeat the above steps with the following EQL query. Please keep in mind that this query is more likely to result in false positives, as the Diagnostic Tool process can be spawned from File Explorer in normal situations unrelated to the exploit.

process where event.type in ("start", "process_created") and
 (process.pe.original_file_name : "msdt.exe" or process.name : "msdt.exe") and
 (process.parent.pe.original_file_name : ("explorer.exe") or
 process.parent.name : ("explorer.exe"))

Was this article helpful?