Techniques
Sample rules
MSDT Execution Via Answer File
- source: sigma
- technicques:
- t1218
Description
Detects execution of “msdt.exe” using an answer file which is simulating the legitimate way of calling msdt via “pcwrun.exe” (For example from the compatibility tab).
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_pcwrun:
ParentImage|endswith: \pcwrun.exe
selection:
CommandLine|contains: \WINDOWS\diagnostics\index\PCWDiagnostic.xml
CommandLine|contains|windash: ' -af '
Image|endswith: \msdt.exe