CVE-2022-30190 - MSDT RCE
This Playbook is part of the CVE-2022-30190 - MSDT RCE Pack.#
Supported versions
Supported Cortex XSOAR versions: 6.2.0 and later.
On May 27th, a new Microsoft Office Zero-Day was discovered by Nao_sec.
The new Zero-Day is a remote code execution vulnerability that exists when MSDT is called using the URL protocol from a calling application such as Word.
On May 30th, Microsoft assigned CVE-2022-30190 to the MSDT vulnerability, aka Follina vulnerability.
This playbook includes the following tasks:
- Collect detection rules.
- Exploitation patterns hunting using Cortex XDR - XQL Engine and 3rd party SIEM products.
- Cortex XDR BIOCs coverage.
- Provides Microsoft workarounds and detection capabilities.
More information:
Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability
Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
Dependencies#
This playbook uses the following sub-playbooks, integrations, and scripts.
Sub-playbooks#
- Rapid Breach Response - Set Incident Info
- QRadar Indicator Hunting V2
- Splunk Indicator Hunting
- QRadar search for new Lolbin process by Office applications
- QRadar search for msdt.exe launching via the command line
Integrations#
- Elasticsearch v2
Scripts#
- ParseHTMLIndicators
- http
- IsIntegrationAvailable
Commands#
- xdr-get-alerts
- splunk-search
- search
- createNewIndicator
- associateIndicatorsToIncident
- closeInvestigation
- extractIndicators
- xdr-xql-generic-query
Playbook Inputs#
| Name | Description | Default Value | Required |
|---|---|---|---|
| SplunkIndex | Splunk's index name in which to search. Default is "*" - All. | * | Optional |
| SplunkEarliestTime | Splunk's earliest time to search. | now | Optional |
| SplunkLatestTime | Splunk's latest time to search. | -1d@d | Optional |
| ElasticIndex | Elastic's index name in which to search. | Optional | |
| QRadarTimeRange | QRadar's query time range. | Last 1 DAYS | Optional |
| PlaybookDescription | The playbook's description. | On May 27th, a new Microsoft Office Zero-Day was discovered by Nao_sec. The new Zero-Day is a remote code execution vulnerability that exists when MSDT is called using the URL protocol from a calling application such as Word. On May 30th, Microsoft assigned CVE-2022-30190 to the MSDT vulnerability, aka Follina vulnerability. This playbook includes the following tasks: Collect detection rules. Exploitation patterns hunting using Cortex XDR - XQL Engine and 3rd party SIEM products. Cortex XDR BIOCs coverage. Provides Microsoft workarounds and detection capabilities. More information: Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. | Optional |
| RunXQLHuntingQueries | Whether to execute the XQL queries. | False | Optional |
| RelatedCVEs | Follina vulnerability CVE reference. | CVE-2022-30190 | Optional |
Playbook Outputs#
There are no outputs for this playbook.
Playbook Image#
