Techniques
Sample rules
Execute MSDT Via Answer File
- source: sigma
- technicques:
- t1218
Description
Detects execution of “msdt.exe” using an answer file which is simulating the legitimate way of calling msdt via “pcwrun.exe” (For example from the compatibility tab)
Detection logic
condition: all of selection* and not filter
filter:
ParentImage|endswith: \pcwrun.exe
selection_answer:
CommandLine|contains:
- ' -af '
- ' /af '
selection_cli:
CommandLine|contains: \WINDOWS\diagnostics\index\PCWDiagnostic.xml
Image|endswith: \msdt.exe