valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
e94c47e74e
SigmaHQ/rules/windows/process_creation/win_exploit_cve_2019_1378.yml

35 lines
1.1 KiB
YAML
Raw Normal View History

rule: Exploiting SetupComplete.cmd CVE-2019-1378
2019-11-14 23:26:18 +00:00
title: Exploiting SetupComplete.cmd CVE-2019-1378
id: 1c373b6d-76ce-4553-997d-8c1da9a6b5f5
status: experimental
description: Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd decribed in CVE-2019-1378
references:
- https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua
author: Florian Roth
date: 2019/11/15
att&ck tags review: windows/process_creation part 2
2020-08-29 04:39:30 +00:00
modified: 2020/08/29
rule: Exploiting SetupComplete.cmd CVE-2019-1378
2019-11-14 23:26:18 +00:00
tags:
- attack.privilege_escalation
att&ck tags review: windows/process_creation part 2
2020-08-29 04:39:30 +00:00
- attack.t1068
- attack.execution
- attack.t1059.003
- attack.t1059 # an old one
- attack.t1574
rule: Exploiting SetupComplete.cmd CVE-2019-1378
2019-11-14 23:26:18 +00:00
logsource:
category: process_creation
product: windows
detection:
selection:
ParentCommandLine:
- '*\cmd.exe /c C:\Windows\Setup\Scripts\SetupComplete.cmd'
- '*\cmd.exe /c C:\Windows\Setup\Scripts\PartnerSetupComplete.cmd'
filter:
Image:
- 'C:\Windows\System32\\*'
- 'C:\Windows\SysWOW64\\*'
- 'C:\Windows\WinSxS\\*'
- 'C:\Windows\Setup\\*'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Reference in New Issue Copy Permalink