Skip to main content

CVE-2022-30190 - MSDT RCE

This Playbook is part of the CVE-2022-30190 - MSDT RCE Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.2.0 and later.

This pack is part of the Rapid Breach Response pack.

On May 27th, a new Microsoft Office Zero-Day was discovered by Nao_sec.

The new Zero-Day is a remote code execution vulnerability that exists when MSDT is called using the URL protocol from a calling application such as Word.

On May 30th, Microsoft assigned CVE-2022-30190 to the MSDT vulnerability, aka Follina vulnerability.

This playbook includes the following tasks:

  • Collect detection rules.
  • Exploitation patterns hunting using Cortex XDR - XQL Engine and 3rd party SIEM products.
  • Cortex XDR BIOCs coverage.
  • Provides Microsoft workarounds and detection capabilities.

More information:

Prevention, Hunting and Playbooks for MSDT Zero-Day (CVE-2022-30190)

Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • Rapid Breach Response - Set Incident Info
  • QRadarFullSearch
  • Splunk Indicator Hunting
  • QRadar Indicator Hunting V2

Integrations#

  • Elasticsearch v2

Scripts#

  • http
  • ParseHTMLIndicators
  • IsIntegrationAvailable

Commands#

  • search
  • extractIndicators
  • closeInvestigation
  • xdr-get-alerts
  • splunk-search
  • xdr-xql-generic-query
  • createNewIndicator
  • associateIndicatorsToIncident

Playbook Inputs#


NameDescriptionDefault ValueRequired
SplunkIndexSplunk's index name to search in. Default is "*" - All.*Optional
SplunkEarliestTimeSplunk's earliest time to search.nowOptional
SplunkLatestTimeSplunk's latest time to search.-1d@dOptional
ElasticIndexElastic's index name to search inOptional
QRadarTimeRangeQRadar's query time range.Last 1 DAYSOptional
PlaybookDescriptionThe playbook's description.On May 27th, a new Microsoft Office Zero-Day was discovered by Nao_sec.

The new Zero-Day is a remote code execution vulnerability that exists when MSDT is called using the URL protocol from a calling application such as Word.

On May 30th, Microsoft assigned CVE-2022-30190 to the MSDT vulnerability, aka Follina vulnerability.

This playbook includes the following tasks:

Collect detection rules.
Exploitation patterns hunting using Cortex XDR - XQL Engine and 3rd party SIEM products.
Cortex XDR BIOCs coverage.
Provides Microsoft workarounds and detection capabilities.

More information:

Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability


Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
Optional
RunXQLHuntingQueriesWhether to execute the XQL queries.FalseOptional
RelatedCVEsFollina vulnerability CVE reference.CVE-2022-30190Optional

Playbook Outputs#


There are no outputs for this playbook.

Playbook Image#


CVE-2022-30190 - MSDT RCE