SUSP_PS1_Msdt_Execution_May22

Rule Info

Av Ratio
4.94
Score
75
Name
SUSP_PS1_Msdt_Execution_May22
Minimum Yara
1.7
Required Modules
[]
Description
Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation
Reference
https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
Modified
2022-06-20
Date
2022-05-31
Tags
['T1086', 'SCRIPT', 'DEMO', 'T1059_001', 'CVE_2022_30190', 'SUSP']
Rule Hash
438043df41b92e3ece642b0d0e802060
Author
Nasreddine Bencherchali, Christian Burkard
Virustotal Matches
https://www.virustotal.com/gui/search/susp_ps1_msdt_execution_may22/comments
Community Rule
https://github.com/Neo23x0/signature-base/search?q=SUSP_PS1_Msdt_Execution_May22

Antivirus Verdicts

Rating
Number of Samples
Malicious (>= 10 engines)
2
Suspicious (< 10 engines)
13
Clean (0 engines)
10

Rule Matches

Positives
Hash
Total
Timestamp
VT
4
8af0b95e1d25c545ac64f600605f2361c921739ccb719e5484beac890eff6fc1
56
2022-06-14 19:22:56
3
a692a8db038cc63bcdc44b617387d1f41a8f4d4d3dcac55de86990c0a6c9c1c1
56
2022-06-13 13:44:46
0
aed5ac2857511c96f99092337be854aedd4953f05a2dc06bf32d60132a408307
57
2022-06-12 11:21:52
3
77c8f41b5a6829e341e8d887df719bb4d8d768cc0845fdacd5f3481100f8dd37
56
2022-06-11 20:42:55
5
781de1ea55ce2b2cb7f20cfbb26060c254440b1a4842aabcc51044477c9d8dbc
56
2022-06-09 20:23:26
2
69357d30aba961f8fac95c8c8ea781bd27861aea63f25320562966e58389d274
55
2022-06-09 20:18:06
1
2238294eb732bdc669094d74be5791d6046a494d45b5baf8a4f4b1ce23208ba3
56
2022-06-09 11:47:13
1
6a0fd7e69fb9bf184da57fb780365e7afd01679721e109206b6b1fa98db21a67
56
2022-06-08 19:58:38
2
3aa16a340aacc5aecbdb902a5f6668f117b62e27966ab41f8a71a1dd1a08f8bd
56
2022-06-08 18:35:02
3
06f8989d905dc25340b9ef9b009f2e4029f237925ac61b35e92bab443605e480
55
2022-06-08 13:04:05
0
0237e36526ba09c9b097655845f86c1c1090f463219c21c03bb5bd2ab83708f5
57
2022-06-08 08:46:47
0
a59d6226e63f9187738c47a91ea1e56e6cd990f01352a79af4a28edb289a14c5
57
2022-06-08 00:23:32
3
ffbcb1ffd3b3cd1e6b0f0e579cb7645c8e09b4e4bc03e93cb0f068ab37712263
55
2022-06-07 07:57:14
0
135a4cc0c091a4f02a55420fb58d04494f2ce3919ddd6d739f3ad16f60ecf43e
67
2022-06-07 06:50:58
0
54c87bfb2e8d1a0cce310ef615e949f485ab63f8afd4de489824976c780453bd
65
2022-06-07 06:44:12
0
e49bc1d7d100a296310d3fd8c8f0cf117dcdd200d52696ca60bc855ef4f5840d
67
2022-06-07 06:42:58
0
06e46f5b35eccaa29d4726a21fa563ab6348779a5a791a6a206fdee990115c8b
57
2022-06-06 12:34:54
0
15407160a8e556a586ed074dd2c3494775cc77cec8675425884891074e7caf13
57
2022-06-06 10:54:19
0
b4ded381c95d304cc6829fbd0810698c216a04e33916d01e04727c7fdf36940c
57
2022-06-05 20:49:38
16
1f63e858b45dc8dfc3befdcf8d743ed36ca43acc31a9b5b6646469c317b26729
56
2022-06-05 07:13:44
1
b299e7cec8b0b9a52b27e913636ce0c4d7f9e4190b019517dd67833326f91e5c
57
2022-06-03 20:53:07
9
4ec47c2389c7a2deefa046dab49af519d51bac5155ba7a80a6ddcbbc6985676b
50
2022-06-03 13:37:32
14
f2d96d53f9cfa7c9b0fa4c0ec135cf4b3eabef78efc9799c5fd282796e64c4ef
56
2022-06-03 09:02:24
0
ea00e719127a30e72ffa6a2cf97730d687f74a4b61cb687f7bb3bbc1addc56e9
57
2022-06-01 02:11:49
1
4e03b26efbf9ed20c80319bc8a72d330c727a216e74c31cf97ccb5b85ab8f424
57
2022-05-31 17:24:34

Rule Matches per Month (last 24 months)

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2020