Exploiting SetupComplete.cmd CVE-2019-1378
Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378
Sigma rule (View on GitHub)
1title: Exploiting SetupComplete.cmd CVE-2019-1378
2id: 1c373b6d-76ce-4553-997d-8c1da9a6b5f5
3status: test
4description: Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378
5references:
6 - https://web.archive.org/web/20200530031708/https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua
7author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro
8date: 2019-11-15
9modified: 2021-11-27
10tags:
11 - attack.privilege-escalation
12 - attack.t1068
13 - attack.execution
14 - attack.t1059.003
15 - attack.t1574
16 - cve.2019-1378
17 - detection.emerging-threats
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection:
23 ParentCommandLine|contains|all:
24 - '\cmd.exe'
25 - '/c'
26 - 'C:\Windows\Setup\Scripts\'
27 ParentCommandLine|endswith:
28 - 'SetupComplete.cmd'
29 - 'PartnerSetupComplete.cmd'
30 filter:
31 Image|startswith:
32 - 'C:\Windows\System32\'
33 - 'C:\Windows\SysWOW64\'
34 - 'C:\Windows\WinSxS\'
35 - 'C:\Windows\Setup\'
36 condition: selection and not filter
37falsepositives:
38 - Unknown
39level: high
References
Related rules
- Audit CVE Event
- Elise Backdoor Activity
- Exploited CVE-2020-10189 Zoho ManageEngine
- HackTool - CrackMapExec Execution
- OMIGOD HTTP No Authentication RCE