Detects execution of “msdt.exe” using an answer file which is simulating the legitimate way of calling msdt via “pcwrun.exe” (For example from the compatibility tab).
title: MSDT Execution Via Answer File
id: 9c8c7000-3065-44a8-a555-79bcba5d9955
status: test
description: |
Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab).
references:
- https://lolbas-project.github.io/lolbas/Binaries/Msdt/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-13
modified: 2025-10-29
tags:
- attack.stealth
- attack.t1218
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\msdt.exe'
CommandLine|contains: '\WINDOWS\diagnostics\index\PCWDiagnostic.xml'
CommandLine|contains|windash: ' -af '
filter_main_pcwrun:
ParentImage|endswith: '\pcwrun.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Possible undocumented parents of "msdt" other than "pcwrun".
level: high
imProcessCreate
| where (TargetProcessName endswith "\\msdt.exe" and TargetProcessCommandLine contains "\\WINDOWS\\diagnostics\\index\\PCWDiagnostic.xml" and (TargetProcessCommandLine contains " -af " or TargetProcessCommandLine contains " /af " or TargetProcessCommandLine contains " –af " or TargetProcessCommandLine contains " —af " or TargetProcessCommandLine contains " ―af ")) and (not((ParentProcessName endswith "\\pcwrun.exe" or ActingProcessName endswith "\\pcwrun.exe")))| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |