Adversary Emulation

Testing your defenses against CVE-2022-30190: MSDT “Follina” 0-Day

Published June 2, 2022

AttackIQ has released a new scenario to test your security controls against exploits used in the Follina 0-day. This new scenario helps security teams validate visibility, patching, security controls, and logging in their environments relative to this pervasive 0-day vulnerability. Elevate your security program performance using AttackIQ. Read More

On Friday May 27, 2022, an independent cybersecurity research team known as Nao_Sec discovered a malicious Microsoft Office document shared on VirusTotal. Uploaded from an IP address in Belarus, the document contained what turned out to be a 0-day, zero-click remote code execution (RCE) vulnerability in the Microsoft Support Diagnostic Tool (MSDT) in Windows. The vulnerability, nicknamed “Follina,” has been assigned CVE-2022-30190 and Microsoft has reported active exploitation in the wild. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging users and administrators to review Microsoft’s Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability and apply the necessary workaround.

To exploit the vulnerability, an attacker can abuse the MS Word remote template feature as a calling application to retrieve a malicious HTML file that uses the ms-msdt URL protocol to execute arbitrary code such as PowerShell within the context of Word and at the privilege level at which the calling application is running, allowing an attacker to install programs, view, change, or delete data, or create new accounts. This works even if macros are disabled, however, Application Guard for Office as well as Protected View may prevent the attack.

The Content Team at AttackIQ has created a new scenario replicating exploitation of this vulnerability to help security teams validate visibility, patching, security controls and logging in their environments relative to this pervasive 0-day vulnerability exploited in the wild. The scenario drops and executes a Microsoft Office document that retrieves a remote HTML file that contains a crafted ms-msdt URL that will execute an obfuscated PowerShell command.

When decoded, that command will first stop the running Microsoft Troubleshooting msdt.exe process and then drop a canary file on the host indicating that the vulnerability has successfully been exploited.

$cmd = “c:\windows\system32\cmd.exe”;
Start-Process $cmd -windowstyle hidden -ArgumentList “/c taskkill /f /im msdt.exe”;
Get-Process | Out-File -FilePath $env:TEMP\<verification file>.txt;

This scenario is available in the AttackIQ Security Optimization Platform now. AttackIQ stands at the ready to help security teams implement this assessment and other aspects of the AttackIQ Security Optimization Platform, including through our co-managed security service, AttackIQ Vanguard.

About the Author

Adam Moore

Adam Moore has joined AttackIQ as Head of R&D for threat emulation content with 16yrs experience doing operational network defense, threat intelligence, incident response and active cyber defense/counter-threat operations, with an overlapping and sizable subset of that time also designing and doing insider threat monitoring and consulting on cyber research projects for government and military customers. He has also led security technology implementation projects, closely supported CISOs for many years by advising, reporting and acting in their places, and much more. He has defended the U.S. Army's networks in Europe, the distributed nuclear weapons complex, the A- and J-root DNS delegation authority and backend registry operator for .com/.net/.gov (and other TLDs) for the Internet, and a non-profit think-tank highly-targeted by espionage operators from multiple countries. Learn More