Potential BearLPE Exploitation

Oct 23, 2025 · attack.persistence attack.execution attack.privilege-escalation attack.t1053.005 car.2013-08-001 detection.emerging-threats ·

Share on:

Detects potential exploitation of the BearLPE exploit using Task Scheduler ".job" import arbitrary DACL write\par

Sigma rule (View on GitHub)

 1title: Potential BearLPE Exploitation
 2id: 931b6802-d6a6-4267-9ffa-526f57f22aaf
 3status: test
 4description: Detects potential exploitation of the BearLPE exploit using Task Scheduler ".job" import arbitrary DACL write\par
 5references:
 6    - https://github.com/djhohnstein/polarbearrepo/blob/f26d3e008093cc5c835e92a7165170baf6713d43/bearlpe/polarbear/polarbear/exploit.cpp
 7author: Olaf Hartong
 8date: 2019-05-22
 9modified: 2023-01-26
10tags:
11    - attack.persistence
12    - attack.execution
13    - attack.privilege-escalation
14    - attack.t1053.005
15    - car.2013-08-001
16    - detection.emerging-threats
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection_img:
22        - Image|endswith: '\schtasks.exe'
23        - OriginalFileName: 'schtasks.exe'
24    selection_cli:
25        CommandLine|contains|all:
26            - '/change'
27            - '/TN'
28            - '/RU'
29            - '/RP'
30    condition: all of selection*
31falsepositives:
32    - Unknown
33level: high

References

polarbearrepo/bearlpe/polarbear/polarbear/exploit.cpp at f26d3e008093cc5c835e92a7165170baf6713d43 · djhohnstein/polarbearrepo

Contribute to djhohnstein/polarbearrepo development by creating an account on GitHub.

Read More

Potential BearLPE Exploitation

Sigma rule (View on GitHub)

References

polarbearrepo/bearlpe/polarbear/polarbear/exploit.cpp at f26d3e008093cc5c835e92a7165170baf6713d43 · djhohnstein/polarbearrepo

Related rules