CVE-2022-30190 - MSDT RCE

Details
Content
Dependencies
Version History

This pack handles MSDT RCE CVE-2022-30190, aka Follina vulnerability, a 0-day exploit in Microsoft MSDT protocol handler

This pack is part of the Rapid Breach Response pack.

On May 27th, a new Microsoft Office Zero-Day was discovered by Nao_sec.

The new Zero-Day is a remote code execution vulnerability that exists when MSDT is called using the URL protocol from a calling application such as Word.

On May 30th, Microsoft assigned CVE-2022-30190 to the MSDT vulnerability, aka Follina vulnerability.

This playbook includes the following tasks:

Collect detection rules.
Exploitation patterns hunting using Cortex XDR - XQL Engine and 3rd party SIEM products.
Cortex XDR BIOCs coverage.
Provides Microsoft workarounds and detection capabilities.

More information:

Prevention, Hunting and Playbooks for MSDT Zero-Day (CVE-2022-30190)

Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

CVE-2022-30190 - MSDT RCE

This pack is part of the Rapid Breach Response pack.

On May 27th, a new Microsoft Office Zero-Day was discovered by Nao_sec.

The new Zero-Day is a remote code execution vulnerability that exists when MSDT is called using the URL protocol from a calling application such as Word.

On May 30th, Microsoft assigned CVE-2022-30190 to the MSDT vulnerability, aka Follina vulnerability.

This playbook includes the following tasks:

Collect detection rules.
Exploitation patterns hunting using Cortex XDR - XQL Engine and 3rd party SIEM products.
Cortex XDR BIOCs coverage.
Provides Microsoft workarounds and detection capabilities.

More information:

Prevention, Hunting and Playbooks for MSDT Zero-Day (CVE-2022-30190)

CVE-2022-30190 - MSDT RCE

Playbooks

Name	Description
CVE-2022-30190 - MSDT RCE	On May 27th, a new Microsoft Office Zero-Day was discovered by Nao_sec. The new Zero-Day is a remote code execution vulnerability that exists when MSDT is called using the URL protocol from a calling application such as Word. On May 30th, Microsoft assigned CVE-2022-30190 to the MSDT vulnerability, aka Follina vulnerability. This playbook includes the following tasks: Collect detection rules. Exploitation patterns hunting using Cortex XDR - XQL Engine and 3rd party SIEM products. Cortex XDR BIOCs coverage. Provides Microsoft workarounds and detection capabilities. More information: Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

Name

Description

CVE-2022-30190 - MSDT RCE

On May 27th, a new Microsoft Office Zero-Day was discovered by Nao_sec.

The new Zero-Day is a remote code execution vulnerability that exists when MSDT is called using the URL protocol from a calling application such as Word.

On May 30th, Microsoft assigned CVE-2022-30190 to the MSDT vulnerability, aka Follina vulnerability.

This playbook includes the following tasks:

Collect detection rules.
Exploitation patterns hunting using Cortex XDR - XQL Engine and 3rd party SIEM products.
Cortex XDR BIOCs coverage.
Provides Microsoft workarounds and detection capabilities.

More information:

Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability

Playbooks

Name	Description
CVE-2022-30190 - MSDT RCE	On May 27th, a new Microsoft Office Zero-Day was discovered by Nao_sec. The new Zero-Day is a remote code execution vulnerability that exists when MSDT is called using the URL protocol from a calling application such as Word. On May 30th, Microsoft assigned CVE-2022-30190 to the MSDT vulnerability, aka Follina vulnerability. This playbook includes the following tasks: Collect detection rules. Exploitation patterns hunting using Cortex XDR - XQL Engine and 3rd party SIEM products. Cortex XDR BIOCs coverage. Provides Microsoft workarounds and detection capabilities. More information: Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

Name

Description

CVE-2022-30190 - MSDT RCE

On May 27th, a new Microsoft Office Zero-Day was discovered by Nao_sec.

The new Zero-Day is a remote code execution vulnerability that exists when MSDT is called using the URL protocol from a calling application such as Word.

On May 30th, Microsoft assigned CVE-2022-30190 to the MSDT vulnerability, aka Follina vulnerability.

This playbook includes the following tasks:

Collect detection rules.
Exploitation patterns hunting using Cortex XDR - XQL Engine and 3rd party SIEM products.
Cortex XDR BIOCs coverage.
Provides Microsoft workarounds and detection capabilities.

More information:

Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability

Required Content Packs (3)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Rapid Breach Response	By: Cortex XSOAR

Optional Content Packs (4)

Pack Name	Pack By
Cortex XDR by Palo Alto Networks	By: Cortex XSOAR
Splunk	By: Cortex XSOAR
Elasticsearch	By: Cortex XSOAR
IBM QRadar	By: Cortex XSOAR

All level dependencies (14)

Pack Name	Pack By
Filters And Transformers	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Access Investigation	By: Cortex XSOAR
Cryptocurrency	By: Cortex XSOAR
Ransomware	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
Asset	By: Cortex XSOAR
Rapid Breach Response	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
Base	By: Cortex XSOAR
Identity	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR

PUBLISHER

Cortex

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	May 31, 2022
Last Release	May 2, 2023

WORKS WITH THE FOLLOWING INTEGRATIONS:

Palo Alto Networks Cortex XDR - Investigation and Response

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.