legitimate usage of \".diagcab\" files

t1202
windows
sigma

Techniques

t1202

Sample rules

Suspicious Cabinet File Execution Via Msdt.EXE

source: sigma
technicques:
- t1202

Description

Detects execution of msdt.exe using the “cab” flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190

Detection logic

condition: all of selection_*
selection_cmd:
  CommandLine|contains|windash: ' -cab '
selection_img:
- Image|endswith: \msdt.exe
- OriginalFileName: msdt.exe