Re: CVE-2022-30190

olfuddyduddy · ‎05-31-2022

Zero Day Exploit of Microsoft Support Diagnostic Tool Detection. What components of Cisco Secure Endpoint will detect and block this vulnerability?

https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/

Armstnei · ‎06-01-2022

I believe they are awaiting a signature update from TALOS to help in detection/prevention.

sylvain.hamel1 · ‎06-01-2022

They added detection this morning. I'm just not sure not sure which engine is picking this and if it will only detect or block/quarantine.

Armstnei · ‎06-01-2022

Behavioral Protection would need to be enabled.

olfuddyduddy · ‎06-01-2022

How is it known that this is Behavioral Detection and not Exploit Prevention, Exploit Prevention-Script Control, System Process Protection, or Malicious Activity Protection? Is there a place to look to confirm this?

crockbot · ‎06-02-2022

Hello S.H.,

Thank you for posting this. If you don't mind sharing a little more, where is this information from? How do I find this information source for future reference? Thank you for any assistance you can provide.

- CB

sylvain.hamel1 · ‎06-02-2022

I found it in the Indicators page (Indicators (cisco.com)

In Analysis-->Indicators of the console.

sylvain.hamel1 · ‎06-02-2022

Just sad that they don't have a published/modified date that we could filter on (so that you can see new Indicators added easily....).

olfuddyduddy · ‎06-02-2022

Thank you Sylvain. I was able to find the same indicator using general search on "msdt". I'm still trying to determine which AMP detection engine is necessary to be certain this is detecting in my enterprise. The indicator doesn't have that information listed on the indicator blurb. Any clues as to how you determined behavioral engine to be the engine necessory to make use of this indicator?