title: Exploiting CVE-2019-1388
id: 02e0b2ea-a597-428e-b04a-af6a1a403e5c
status: experimental
description: Detects an explotation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM
references:
    - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388
    - https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege
author: Florian Roth
date: 2019/11/20
tags:
    - attack.privilege_escalation
    - attack.t1068
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage: '*\consent.exe'
        Image: '*\iexplore.exe'
        CommandLine: '* http*'
    rights1:
        IntegrityLevel: 'System'  # for Sysmon users
    rights2: 
        User: 'NT AUTHORITY\SYSTEM'  # for non-Sysmon users - English language settings
    condition: selection and ( rights1 or rights2 )
falsepositives:
    - Unknown
level: critical