title: Exploiting SetupComplete.cmd CVE-2019-1378
author: Florian Roth, oscd.community, Jonhnathan Ribeiro
date: 2019/11/15
description: Detects exploitation attempt of privilege escalation vulnerability via
    SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378
detection:
    SELECTION_1:
        EventID: 1
    SELECTION_10:
        Image: C:\Windows\Setup\\*
    SELECTION_2:
        ParentCommandLine: '*\cmd.exe*'
    SELECTION_3:
        ParentCommandLine: '*/c*'
    SELECTION_4:
        ParentCommandLine: '*C:\Windows\Setup\Scripts\\*'
    SELECTION_5:
        ParentCommandLine: '*SetupComplete.cmd'
    SELECTION_6:
        ParentCommandLine: '*PartnerSetupComplete.cmd'
    SELECTION_7:
        Image: C:\Windows\System32\\*
    SELECTION_8:
        Image: C:\Windows\SysWOW64\\*
    SELECTION_9:
        Image: C:\Windows\WinSxS\\*
    condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4 and (SELECTION_5
        or SELECTION_6)) and  not ((SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10)))
falsepositives:
- Unknown
id: 1c373b6d-76ce-4553-997d-8c1da9a6b5f5
level: high
logsource:
    category: process_creation
    product: windows
modified: 2020/08/29
references:
- https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua
status: experimental
tags:
- attack.privilege_escalation
- attack.t1068
- attack.execution
- attack.t1059.003
- attack.t1059
- attack.t1574
- cve.2019.1378
yml_filename: win_exploit_cve_2019_1378.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation