5 min read

Follina for Protocol Handlers

Analysis of the Follina vulnerability (CVE-2022-30190) and the broader attack surface of Windows protocol handlers for remote code execution.

follina cve-2022-30190 protocol-handler rce detection splunk

Originally published on the Splunk Security Blog
Read the full article: Follina for Protocol Handlers

The Follina Vulnerability

CVE-2022-30190 (Follina) exploited the ms-msdt: protocol handler to achieve remote code execution through Microsoft Office documents. No macros required.

How It Worked

  1. Malicious document - Contains external reference
  2. Fetches HTML - From attacker-controlled server
  3. HTML triggers MSDT - Via ms-msdt: protocol handler
  4. Code execution - PowerShell runs with user privileges

The Bigger Picture

Follina highlighted that Windows has many protocol handlers:

  • ms-msdt: - Microsoft Support Diagnostic Tool
  • search-ms: - Windows Search
  • ms-officecmd: - Office commands
  • ms-word: - Word operations

Each is a potential attack surface.

Payload Example

<!DOCTYPE html>
<html>
<body>
<script>
location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebsrowseForFile=cal]c.exe\"";
</script>
</body>
</html>

Detection

MSDT Spawning Processes

index=sysmon EventCode=1 
  ParentImage="*\\msdt.exe"
| table _time, Computer, User, Image, CommandLine

Office Spawning MSDT

index=sysmon EventCode=1 
  Image="*\\msdt.exe"
  ParentImage IN ("*\\winword.exe", "*\\excel.exe", "*\\powerpnt.exe")
| table _time, Computer, CommandLine

Protocol Handler Invocation

index=sysmon EventCode=1 
  CommandLine="*ms-msdt:*" OR CommandLine="*search-ms:*"
| table _time, Computer, User, CommandLine

Mitigations

  • Disable MSDT protocol handler (Microsoft’s recommendation)
  • Block external OLE connections
  • Monitor for Office spawning diagnostic tools
  • Keep Office updated

Read the full analysis: Follina for Protocol Handlers

Related Modules

Active

Atomics on a Friday

Weekly YouTube show exploring atomic tests, detection engineering, and security research. Live demonstrations and deep dives into attack techniques.

youtube atomic-red-team detection education +1
View Module → GitHub
Active

Bootloaders.io

A curated list of known malicious bootloaders for various operating systems. Track and catalog bootloader threats with detection rules and hash prevention.

bootloader bootkit detection defense +1
View Module → GitHub