Exploiting SetupComplete.cmd CVE-2019-1378

calendar Jun 20, 2023 · attack.privilege_escalation attack.t1068 attack.execution attack.t1059.003 attack.t1574 cve.2019.1378 detection.emerging_threats  ·
Share on: linkedin copy

Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378

Sigma rule (View on GitHub)

 1title: Exploiting SetupComplete.cmd CVE-2019-1378
 2id: 1c373b6d-76ce-4553-997d-8c1da9a6b5f5
 3status: test
 4description: Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378
 5references:
 6    - https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua
 7author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro
 8date: 2019/11/15
 9modified: 2021/11/27
10tags:
11    - attack.privilege_escalation
12    - attack.t1068
13    - attack.execution
14    - attack.t1059.003
15    - attack.t1574
16    - cve.2019.1378
17    - detection.emerging_threats
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection:
23        ParentCommandLine|contains|all:
24            - '\cmd.exe'
25            - '/c'
26            - 'C:\Windows\Setup\Scripts\'
27        ParentCommandLine|endswith:
28            - 'SetupComplete.cmd'
29            - 'PartnerSetupComplete.cmd'
30    filter:
31        Image|startswith:
32            - 'C:\Windows\System32\'
33            - 'C:\Windows\SysWOW64\'
34            - 'C:\Windows\WinSxS\'
35            - 'C:\Windows\Setup\'
36    condition: selection and not filter
37falsepositives:
38    - Unknown
39level: high

References

Related rules

to-top