41 lines
1.3 KiB
YAML
41 lines
1.3 KiB
YAML
title: Exploiting CVE-2019-1388
|
|
author: Florian Roth
|
|
date: 2019/11/20
|
|
description: Detects an exploitation attempt in which the UAC consent dialogue is
|
|
used to invoke an Internet Explorer process running as LOCAL_SYSTEM
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 1
|
|
SELECTION_2:
|
|
ParentImage: '*\consent.exe'
|
|
SELECTION_3:
|
|
Image: '*\iexplore.exe'
|
|
SELECTION_4:
|
|
CommandLine: '* http*'
|
|
SELECTION_5:
|
|
IntegrityLevel: System
|
|
SELECTION_6:
|
|
User: NT AUTHORITY\SYSTEM*
|
|
SELECTION_7:
|
|
User: AUTORITE NT\Sys*
|
|
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and (SELECTION_5
|
|
or (SELECTION_6 or SELECTION_7)))
|
|
falsepositives:
|
|
- Unknown
|
|
id: 02e0b2ea-a597-428e-b04a-af6a1a403e5c
|
|
level: critical
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
modified: 2021/08/26
|
|
references:
|
|
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388
|
|
- https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege
|
|
status: experimental
|
|
tags:
|
|
- attack.privilege_escalation
|
|
- attack.t1068
|
|
yml_filename: win_exploit_cve_2019_1388.yml
|
|
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
|
|
|