CVE 2022-30190 Zero Click Zero Day in msdt

Msdt.exe is an executable exe file that belongs to the Diagnostics Troubleshooting Wizard process which comes along with the Microsoft Windows Operating developed by Microsoft.
Windows utility msdt.exe is used to run various Windows troubleshooter packs.

Indicator of Compromise:

  1. Look for Office documents such as (winword.exe”, “powerpnt.exe”, “excel.exe”, “msaccess.exe”,”visio.exe”,”onenote.exe”) spawning/starting msdt.exe, it should be investigated for True positive or False positive.
  2. Look for sdiaghost.exe spawning conhost.exe and then malicious payload.

Affected Versions:

CVE-2022-30190 – Security Update Guide – Microsoft – Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability

Current version of O365 appears vulnerable, older versions are certainly vulnerable.

1. Access To Backups Key For MSPs!

  1. Educating users to identify and delete malicious emails remains your best line of defense until a patch is available to deploy to your endpoints.

Workaround:

  1. Push the batch script utilizing PDQ, SCCM , PSExec or any other solution that is available.

tej7gandhi/CVE-2022-30190-Zero-Click-Zero-Day-in-msdt (github.com)

Registry key Change:

Reference:
https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/

Microsoft Office zero-day “Follina”—it’s not a bug, it’s a feature! (It’s a bug) | Malwarebytes Labs

CVE-2022-30190: Zero Click Zero Day in Microsoft Support Diagnostic Tool Exploited in the Wild – Blog | Tenable®

Prevention, Hunting and Playbooks for MSDT Zero-Day (CVE-2022-30190) – Palo Alto Networks Blog

Leave a Reply

Your email address will not be published. Required fields are marked *