mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 01:45:21 +00:00
32 lines
1.1 KiB
YAML
32 lines
1.1 KiB
YAML
title: Exploiting CVE-2019-1388
|
|
id: 02e0b2ea-a597-428e-b04a-af6a1a403e5c
|
|
status: experimental
|
|
description: Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM
|
|
references:
|
|
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388
|
|
- https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege
|
|
author: Florian Roth
|
|
date: 2019/11/20
|
|
modified: 2021/08/26
|
|
tags:
|
|
- attack.privilege_escalation
|
|
- attack.t1068
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection:
|
|
ParentImage|endswith: '\consent.exe'
|
|
Image|endswith: '\iexplore.exe'
|
|
CommandLine|contains: ' http'
|
|
rights1:
|
|
IntegrityLevel: 'System' # for Sysmon users
|
|
rights2:
|
|
User|startswith:
|
|
- 'NT AUTHORITY\SYSTEM' # for non-Sysmon users - English language settings
|
|
- 'AUTORITE NT\Sys' # French language settings
|
|
condition: selection and ( rights1 or rights2 )
|
|
falsepositives:
|
|
- Unknown
|
|
level: critical
|