SigmaHQ/rules/windows/process_creation/win_exploit_cve_2019_1388.yml

29 lines
1.0 KiB
YAML
Raw Normal View History

2019-11-20 08:16:00 +00:00
title: Exploiting CVE-2019-1388
2019-11-20 08:12:02 +00:00
id: 02e0b2ea-a597-428e-b04a-af6a1a403e5c
2019-11-20 08:21:42 +00:00
status: experimental
2019-11-20 08:12:02 +00:00
description: Detects an explotation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM
references:
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388
2019-11-20 08:12:02 +00:00
- https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege
author: Florian Roth
date: 2019/11/20
tags:
- attack.privilege_escalation
- attack.t1068
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage: '*\consent.exe'
Image: '*\iexplore.exe'
CommandLine: '* http*'
2019-11-20 08:12:02 +00:00
rights1:
IntegrityLevel: 'System' # for Sysmon users
rights2:
User: 'NT AUTHORITY\SYSTEM' # for non-Sysmon users - English language settings
condition: selection and ( rights1 or rights2 )
falsepositives:
- Unknown
level: critical