Exploiting CVE-2019-1388
Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM
Sigma rule (View on GitHub)
1title: Exploiting CVE-2019-1388
2id: 02e0b2ea-a597-428e-b04a-af6a1a403e5c
3status: stable
4description: Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM
5references:
6 - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388
7 - https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege
8author: Florian Roth (Nextron Systems)
9date: 2019-11-20
10modified: 2024-12-01
11tags:
12 - attack.privilege-escalation
13 - attack.t1068
14 - cve.2019-1388
15 - detection.emerging-threats
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_img:
21 ParentImage|endswith: '\consent.exe'
22 Image|endswith: '\iexplore.exe'
23 CommandLine|contains: ' http'
24 selection_rights:
25 - IntegrityLevel:
26 - 'System' # for Sysmon users
27 - 'S-1-16-16384' # System
28 - User|contains: # covers many language settings
29 - 'AUTHORI'
30 - 'AUTORI'
31 condition: all of selection_*
32falsepositives:
33 - Unknown
34level: critical
References
-
Not much interesting so far, just Yes and No buttons, a password input field, and an X button. You can click the upper-left corner of the window and get the standard, little-used “window menu”, having just Move and Close commands. The password input field is a bit interesting to poke around in. Perh
Read More
Related rules
- Potential CVE-2021-41379 Exploitation Attempt
- InstallerFileTakeOver LPE CVE-2021-41379 File Create Event
- Suspicious Sysmon as Execution Parent
- Exploiting SetupComplete.cmd CVE-2019-1378
- Potential SystemNightmare Exploitation Attempt