Another zero-day security flaw in the Microsoft Support Diagnostic Tool (MSDT) nicknamed DogWalk comes hard on the heels of its actively exploited counterpart, a remote code execution vulnerability Follina, tracked as CVE-2022-30190. Just like in the case of Follina, a big security issue affecting MSDT, Microsoft troubleshooters ignored the bug when it was first brought to their attention. At the moment of writing, there is still no CVE assigned to this flaw.
An unofficial patch has just been released, now available via the 0patch platform.
SOC Prime’s team of dedicated threat hunting engineers released a Sigma rule to help you identify whether your system was compromised via the DogWalk security hole. The rule helps to detect whether attackers utilized .diagcab files to drop additional files onto the disk of a victim system with user execution:
The rules are aligned with the latest MITRE ATT&CK® framework v.10. addressing the Execution tactic and User Execution (T1204; T1204.002) technique.
This detection has translations for the following industry-leading SIEM, EDR & XDR platforms: Microsoft Sentinel, Elastic Stack, Splunk, Humio, Sumo Logic, ArcSight, QRadar, FireEye, LogPoint, SentinelOne, Graylog, Regex Grep, RSA NetWitness, Chronicle Security, Microsoft Defender ATP, Securonix, Apache Kafka ksqlDB, Carbon Black, Open Distro, and AWS OpenSearch.
To detect other possible system compromises, see the complete list of rules available in the Threat Detection Marketplace repository of SOC Prime’s platform by pressing the Detect & Hunt button. Note, though, that these rules are available only to registered users.
SOC professionals without the Platform’s account can browse through the collection of Sigma rules available via the Cyber Threat Search Engine. Press the Explore Threat Context button to access a one-stop shop for free SOC content, no strings attached.
The Microsoft Windows zero-day vulnerability in MSDT dubbed DogWalk was first documented in 2020 by an independent security researcher Imre Rad but was ignored by Microsoft at that time. Rad shared Microsoft’s response, where they refused to consider the issue a vulnerability, ergo denying to fix it.
This path traversal flaw was reattended in late May – early June 2022 by a security researcher known by the nickname j00sean.
The kill chain includes the target getting infected with a malicious .diagcab archive file by receiving it in an email or the user downloading it voluntarily. The weaponized file doesn’t set off an appropriate security response (major browsers do not flag it as suspicious and potentially dangerous). When opened, it drops the payload in the Windows Startup folder, executed by the OS upon the next login.
The devices running Windows 7 OS or higher stay vulnerable to this exploit.
To boost your threat hunting capabilities, join the Threat Bounty Program and get full access to the only Threat Detection Marketplace where researchers monetize their content. Enhance your security arsenal with cross-vendor and cross-tool detection content items tailored to 25+ market-leading SIEM, EDR, and XDR technologies.