title: MSDT.exe Loading Diagnostic Library
id: ec8c4047-fad9-416a-8c81-0f479353d7f6
status: experimental
description: Detects both of CVE-2022-30190 / Follina and DogWalk vulnerability exploiting msdt.exe binary to load sdiageng.dll binary 
author: Greg (rule)
references:
  - https://www.securonix.com/blog/detecting-microsoft-msdt-dogwalk/
date: 2022/06/17
logsource:
  category: image_load
  product: windows
detection:
  selection_img:
    Image|endswith: '\msdt.exe'
  selection_load:
    ImageLoaded|endswith: '\sdiageng.dll'
  condition: all of selection*
falsepositives:
  - Unknown
level: high
tags:
  - attack.defense_evasion
  - attack.t1202
  - cve.2022.30190