Pricing Login
Pricing
Support
Demo
Interactive demos

Click through interactive platform demos now.

Live demo, real expert

Schedule a platform demo with a Sumo Logic expert.

Start free trial
Back to blog results

June 16, 2022 By Threat Labs

Follina - CVE-2022-30190

Background

Monday, May 30th, 2022, Microsoft issued CVE-2022-30190 for a Remote Code Execution vulnerability with the Microsoft Support Diagnostic Tool (MSDT) in Windows:

“A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, delete data, or create new accounts in the context allowed by the user’s rights.” - Microsoft Security Response Center¹

Microsoft has published information and mitigation recommendations pending possible further action from Microsoft.

What does this mean?

With a crafted Word or Rich Text Format (RTF) document, an attacker can embed an external HTML reference to retrieve and execute code that contains an MSDT URL protocol schema. Windows will run the URL, executing the Diagnostic Tool to run the attacker-provided code with the program's privileges running the document.

What brought this to the attention of the Internet?

On Friday, May 27th, 2022, security researcher @nao_sec shared a Microsoft Word document on Twitter², abusing Microsoft’s Support Diagnostic Tool to run malware. Opening the document retrieved a script from the attacker website containing an MSDT protocol URL with an encoded PowerShell script to run a series of commands. Kevin Beaumont (@GossiTheDog) brought @nao_sec’s finding to the attention of Twitter and dubbed this attack “Follina”³.

What defenders can do

In Windows environments, with good endpoint visibility (Windows Events, Sysmon, EDR, etc.), seeing MSDT activity will be a normal occurrence. With the exploitation of CVE-2022-30190, there will be additional behavior to investigate, such as:

  • Word as the parent of MSDT.exe with suspicious command lines

  • Command lines containing MSDT protocol schema URLs and possible file execution

  • Command lines containing MSDT protocol schema URLs and PowerShell invocation

  • Suspicious MSDT.exe execution and corresponding SDiagNHost.exe process creation with suspicious child process and command line

Sumo Logic searches

The following queries are useful for profiling and identifying activity related to CVE-2022-30190 and are built using Sumo Logic Cloud SIEM records. They are intended to provide starter search logic for adaptation to search across the raw data sources available in the Sumo Logic Continuous Intelligence Platform™ and other tools.

Word as parent of MSDT.exe with command line profiling

Search objective: Identify Process Creation events where an MSDT.exe process was created with Word (winword.exe) as the parent application while aggregating these events by hostname (or user) and display the associated Command Line, with corresponding process lineage (parent/baseImage).


_index=sec_record_endpoint (“msdt.exe” “winword.exe”)
| where toLowerCase(parentBaseImage) matches “winword.exe”
| count by device_hostname,user_username,parentBaseImage,baseImage,commandLine
| order by _count DESC

Command lines containing MSDT protocol schema URLs with file execution

Search objective: Identify Process Creation events with the MSDT URL protocol in the command line, with the use of the IT_BrowseForFile and IT_RebrowseForFile arguments to direct MSDT to execute attacker code or an intended executable.

Reference: Huntress Labs Post⁴

_index=sec_record_endpoint (“ms-msdt:” “PCWDiagnostic” “BrowseForFile” “RebrowseForFile”)
| where toLowerCase(commandLine) matches “*ms-msdt:*”
| count by device_hostname,parentBaseImage,baseImage,commandLine
| order by _count DESC

Command lines containing MSDT protocol schema URLs with PowerShell invocation:

Search objective: Identify Process Creation events with the MSDT URL protocol and PowerShell Invoke command, where MSDT will be executing a PowerShell script or command.

_index=sec_record_endpoint (“ms-msdt:” “PCWDiagnostic” “BrowseForFile” “RebrowseForFile” “Invoke-”)
| where toLowerCase(commandLine) matches “*ms-msdt:*(Invoke-*”
| count by device_hostname,parentBaseImage,baseImage,commandLine
| order by _count DESC

SDiagNHost.exe process creation with suspicious child process with command lines:

Search objective: Upon executing MSDT, it will create a process with the parent process of SDiagNHost.exe. Msdt.exe is not the parent of the sdiagnhost.exe process. After excluding commonly observed binaries associated with sdiagnhost.exe execution, the results are aggregated by device_hostname, BaseImage or process name, and command line for further analysis and investigation.

Reference: @neonprimetime via Twitter⁵

_index=sec_record_endpoint “sdiagnhost.exe” !("conhost.exe" OR "route.exe" OR "netsh.exe" OR "ping.exe" OR "wpr.exe" OR "makecab.exe" OR "ipconfig.exe" OR "csc.exe" OR "chrome.exe" OR "w32tm.exe" OR "net.exe" OR "bitsadmin.exe" OR "sc.exe" OR "sfc.exe" OR"dismhost.exe")
| where toLowerCase(parentBaseImage) matches “sdiagnhost.exe”
| count by device_hostname,parentBaseImage,baseImage,commandLine
| order by _count DESC

Microsoft Support Diagnostic Tool (msdt.exe) profiling with command lines:

Search objective: Identify Process Creation events with msdt.exe to understand frequency and see the variations of command lines.

_index=sec_record_endpoint “msdt.exe” | where toLowerCase(baseImage) matches “*msdst.exe” | values(commandLine) as commandLines, count by parentBaseImage,BaseImage

Scripted Diagnostic Native Host (sdiagnhost.exe) profiling with command lines:

Search objective: Identify Process Creation events with msdt.exe to understand the frequency and see the variations of command lines.

_index=sec_record_endpoint “sdiagnhost.exe”
| where toLowerCase(parentBaseImage) matches “*sdiagnhost.exe”
| count_distinct(device_hostname) as host_count, count by BaseImage,commandLine

Sumo Logic Cloud SIEM Enterprise Rules

The Threat Labs team has developed and deployed the following rules for Sumo Logic Cloud SIEM Enterprise (CSE) to provide detection opportunities for possible attempted and successful exploitation of CVE-2022-30190. Modifications to these detections and new detections will be released if the situation warrants it.

Rule ID

Rule Name

MATCH-S00811

MS Office Product Spawning Msdt.exe

MATCH-S00812

Microsoft Support Diagnostic Tool with BrowseForFile

MATCH-S00813

Microsoft Support Diagnostic Tool Invoking PowerShell

MATCH-S00814

Abnormal Child Process - sdiagnhost.exe

These rules provide multiple detection opportunities for exploitation of CVE-2022-30190, beginning with Malicious Documents interacting with the Microsoft Support Detection Tool process to the process creation events of SDiagNHost and the possibly malicious payload.

Recommendations

Threat Labs recommends that readers assess the potential exposure in their environment, use the queries provided to hunt for exploitation, better understand the mechanisms involved in the exploitation of CVE-2022-30190, and hunt for possible malicious activity. Sumo Logic Cloud SIEM Enterprise customers have access to the above rules, providing detection opportunities for customers with Process Creation events.

On June 14th, Microsoft included an update for CVE-2022-30190 with the June patch Tuesday release. Please reference updated guidance from Microsoft on the vulnerability here (CVE reference).

References

  1. https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/

  2. https://twitter.com/nao_sec/status/1530196847679401984

  3. https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e

  4. https://www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug

  5. https://twitter.com/neonprimetime/status/1531719870378811398

  6. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190

  7. https://lolbas-project.github.io/lolbas/Binaries/Msdt/

  8. https://isc.sans.edu/forums/diary/New+Microsoft+Office+Attack+Vector+via+msmsdt+Protocol+Scheme+CVE202230190/28694/

  9. https://isc.sans.edu/forums/diary/First+Exploitation+of+Follina+Seen+in+the+Wild/28698/

  10. https://www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug

  11. https://twitter.com/nao_sec/status/1530197800369389568

  12. https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/

  13. https://benjamin-altpeter.de/shell-openexternal-dangers/

  14. https://www.file.net/process/sdiagnhost.exe.html

Complete visibility for DevSecOps

Reduce downtime and move from reactive to proactive monitoring.

Sumo Logic cloud-native SaaS analytics

Build, run, and secure modern applications and cloud infrastructures.

Start free trial

Threat Labs

Sumo Logic Threat Labs is built to deliver a continuous stream of deep detection content, rapid response guidance, and actionable best practices to Sumo Logic security customers. The team is staffed with domain experts with backgrounds in forensics, incident response, and red/blue teaming, as well as offensive and defensive cyber operations in the United States military and intelligence services. Informed by deep human expertise, Threat Labs will also play a larger role in contributing advanced detection logic and best practices to the security community to help collectivize the defense.

More posts by Threat Labs.

People who read this also enjoyed