Over the weekend, a new Microsoft Office zero-day was disclosed. This vulnerability has been assigned CVE-2022-30190.
Prior to this disclosure, Binary Defense MDR clients were already protected post exploitation. Post exploitation tactics are following the usual patterns that our behavior based detections are best at identifying and alarming on. Additionally, our threat researchers have been looking at the offending executable (msdt.exe) since 2017 due to it being a potential attack avenue but have since pushed out more refined detections.
This morning, Binary Defense released an update that will detect this attack very early in the process. This does not require an update to Agent.
Microsoft has published a mitigation for this exploit and you may consider stopping “msdt.exe” with AppLocker. Additional details and guidance are contained in the following blog:
For Binary Defense MDR and SIEM customers, we are actively monitoring the situation and the SOC is operating at a higher level of vigilance while looking for post exploitation scenarios related to this exposure.