Open in app

Sign in

Write

Sign in

Detecting CVE-2022–30190 “Follina”

David Vassallo
CyberSift
Published in
2 min readJun 8, 2022

CyberSift has just pushed an update to it’s Windows Context Workers in order to detect attempts to exploit the CVE-2022–30190 “Follina” vulnerability. Follina abuses the the Microsoft Support Diagnostic Tool (MSDT) to allow an attacker remote code execution when a victim opens an office file like word, or even via outlook.

Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability

On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in…

msrc-blog.microsoft.com

Pre-requisites

Windows sysadmins should have enabled audit process creation across the domain, and are collecting those logs.

Audit Process Creation (Windows 10) - Windows security

The Advanced Security Audit policy setting, Audit Process Creation, determines if audit events are generated when a…

docs.microsoft.com

This would enable CyberSift to start analyzing windows event ID 4688, which records the executable run, the arguments used, as well as the parent process which executed the file. The event is useful in a wide variety of situations, so we recommend that you enable this event in any case regardless of your exposure to Follina.

Alerting

CyberSift will automatically issue “high” severity alerts with the description of “CVE CVE-2022–30190 has been detected” along with the original event which actually triggered the event. The context worker take care of some corner cases like case insensitivity and so on, but in a nutshell the following Lucene query is being checked:

winlog.event_id:4688 AND (winlog.event_data.ParentProcessName:(*WINWORD.exe* OR *POWERPNT.exe* OR *EXCEL.exe* OR *OUTLOOK.exe*) AND (winlog.event_data.NewProcessName:*msdt.exe* OR winlog.event_data.CommandLine:*msdt.exe*))

The query essentially looks for processes which correspond to the Microsoft Support Diagnostic Tool executable, which have a parent process being one of the Microsoft office suite, or MS Outlook

Update

Attackers do not need to rely on office or outlook to launch this attack. Powershell’s wget cmdlet blindly accepts redirections to the insecure code whenever the link references the msdt protocol.

A more generic query to capture these kind of events would be:

(winlog.event_data.CommandLine:(*msdt.exe* OR *ms-msdt\:-id* OR *ms-msdt\:\/id*) AND winlog.event_data.CommandLine:*PCWDiagnostic* AND winlog.event_data.CommandLine:(*IT_BrowserForFile* OR *IT_LaunchMethod* OR *IT_RebrowseForFile*) AND winlog.event_data.CommandLine:(\/\/ OR .\/ OR \/. OR ..\/))
Security
Cybersecurity
Cve 2022 30190

--

--

David Vassallo
CyberSift

Written by David Vassallo

99 Followers
Editor for

https://blog.davidvassallo.me

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams