Techniques
Sample rules
Troubleshooting Pack Cmdlet Execution
- source: sigma
- technicques:
- t1202
Description
Detects execution of “TroubleshootingPack” cmdlets to leverage CVE-2022-30190 or action similar to “msdt” lolbin (as described in LOLBAS)
Detection logic
condition: selection
selection:
ScriptBlockText|contains|all:
- Invoke-TroubleshootingPack
- C:\Windows\Diagnostics\System\PCW
- -AnswerFile
- -Unattended