CVE-2022-30190 - MSDT RCE

Details
Content
Dependencies
Version History

This pack handles MSDT RCE CVE-2022-30190, aka Follina vulnerability, a 0-day exploit in Microsoft MSDT protocol handler

This pack is part of the Rapid Breach Response pack.

On May 27th, a new Microsoft Office Zero-Day was discovered by Nao_sec.

The new Zero-Day is a remote code execution vulnerability that exists when MSDT is called using the URL protocol from a calling application such as Word.

On May 30th, Microsoft assigned CVE-2022-30190 to the MSDT vulnerability, aka Follina vulnerability.

This playbook includes the following tasks:

Collect detection rules.
Exploitation patterns hunting using Cortex XDR - XQL Engine and 3rd party SIEM products.
Cortex XDR BIOCs coverage.
Provides Microsoft workarounds and detection capabilities.

More information:

Prevention, Hunting and Playbooks for MSDT Zero-Day (CVE-2022-30190)

Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

CVE-2022-30190 - MSDT RCE

This pack is part of the Rapid Breach Response pack.

On May 27th, a new Microsoft Office Zero-Day was discovered by Nao_sec.

The new Zero-Day is a remote code execution vulnerability that exists when MSDT is called using the URL protocol from a calling application such as Word.

On May 30th, Microsoft assigned CVE-2022-30190 to the MSDT vulnerability, aka Follina vulnerability.

This playbook includes the following tasks:

Collect detection rules.
Exploitation patterns hunting using Cortex XDR - XQL Engine and 3rd party SIEM products.
Cortex XDR BIOCs coverage.
Provides Microsoft workarounds and detection capabilities.

More information:

Prevention, Hunting and Playbooks for MSDT Zero-Day (CVE-2022-30190)

CVE-2022-30190 - MSDT RCE

Playbooks

Name	Description
CVE-2022-30190 - MSDT RCE	On May 27th, a new Microsoft Office Zero-Day was discovered by Nao_sec. The new Zero-Day is a remote code execution vulnerability that exists when MSDT is called using the URL protocol from a calling application such as Word. On May 30th, Microsoft assigned CVE-2022-30190 to the MSDT vulnerability, aka Follina vulnerability. This playbook includes the following tasks: Collect detection rules. Exploitation patterns hunting using Cortex XDR - XQL Engine and 3rd party SIEM products. Cortex XDR BIOCs coverage. Provides Microsoft workarounds and detection capabilities. More information: Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

Name

Description

CVE-2022-30190 - MSDT RCE

On May 27th, a new Microsoft Office Zero-Day was discovered by Nao_sec.

The new Zero-Day is a remote code execution vulnerability that exists when MSDT is called using the URL protocol from a calling application such as Word.

On May 30th, Microsoft assigned CVE-2022-30190 to the MSDT vulnerability, aka Follina vulnerability.

This playbook includes the following tasks:

Collect detection rules.
Exploitation patterns hunting using Cortex XDR - XQL Engine and 3rd party SIEM products.
Cortex XDR BIOCs coverage.
Provides Microsoft workarounds and detection capabilities.

More information:

Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability

Playbooks

Name	Description
CVE-2022-30190 - MSDT RCE	On May 27th, a new Microsoft Office Zero-Day was discovered by Nao_sec. The new Zero-Day is a remote code execution vulnerability that exists when MSDT is called using the URL protocol from a calling application such as Word. On May 30th, Microsoft assigned CVE-2022-30190 to the MSDT vulnerability, aka Follina vulnerability. This playbook includes the following tasks: Collect detection rules. Exploitation patterns hunting using Cortex XDR - XQL Engine and 3rd party SIEM products. Cortex XDR BIOCs coverage. Provides Microsoft workarounds and detection capabilities. More information: Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

Name

Description

CVE-2022-30190 - MSDT RCE

On May 27th, a new Microsoft Office Zero-Day was discovered by Nao_sec.

The new Zero-Day is a remote code execution vulnerability that exists when MSDT is called using the URL protocol from a calling application such as Word.

On May 30th, Microsoft assigned CVE-2022-30190 to the MSDT vulnerability, aka Follina vulnerability.

This playbook includes the following tasks:

Collect detection rules.
Exploitation patterns hunting using Cortex XDR - XQL Engine and 3rd party SIEM products.
Cortex XDR BIOCs coverage.
Provides Microsoft workarounds and detection capabilities.

More information:

Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability

Required Content Packs (3)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Rapid Breach Response	By: Cortex XSOAR

Optional Content Packs (4)

Pack Name	Pack By
Cortex XDR by Palo Alto Networks	By: Cortex XSOAR
Elasticsearch	By: Cortex XSOAR
IBM QRadar	By: Cortex XSOAR
Splunk	By: Cortex XSOAR

All level dependencies (15)

Pack Name	Pack By
Common Playbooks	By: Cortex XSOAR
Cryptocurrency	By: Cortex XSOAR
Aggregated Scripts	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
Access Investigation	By: Cortex XSOAR
Identity	By: Cortex XSOAR
Rapid Breach Response	By: Cortex XSOAR
Asset	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR
Ransomware	By: Cortex XSOAR

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	May 31, 2022
Last Release	March 23, 2026

WORKS WITH THE FOLLOWING INTEGRATIONS:

Palo Alto Networks Cortex XDR - Investigation and Response

DISCLAIMER

By downloading or using Marketplace content, you agree to the applicable Terms of Use and End User License Agreement. Third-party content is provided by its publisher, and Palo Alto Networks does not warrant, endorse, support, or assume responsibility for content not expressly identified as owned by Palo Alto Networks.