Exploiting CVE-2019-1388
Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM
Sigma rule (View on GitHub)
1title: Exploiting CVE-2019-1388
2id: 02e0b2ea-a597-428e-b04a-af6a1a403e5c
3status: stable
4description: Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM
5references:
6 - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388
7 - https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege
8author: Florian Roth (Nextron Systems)
9date: 2019/11/20
10modified: 2022/05/27
11tags:
12 - attack.privilege_escalation
13 - attack.t1068
14 - cve.2019.1388
15 - detection.emerging_threats
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 ParentImage|endswith: '\consent.exe'
22 Image|endswith: '\iexplore.exe'
23 CommandLine|contains: ' http'
24 rights1:
25 IntegrityLevel: 'System' # for Sysmon users
26 rights2:
27 User|contains: # covers many language settings
28 - 'AUTHORI'
29 - 'AUTORI'
30 condition: selection and ( rights1 or rights2 )
31falsepositives:
32 - Unknown
33level: critical
References
-
Not much interesting so far, just Yes and No buttons, a password input field, and an X button. You can click the upper-left corner of the window and get the standard, little-used “window menu”, having just Move and Close commands. The password input field is a bit interesting to poke around in. Perh
Read More
Related rules
- Exploiting SetupComplete.cmd CVE-2019-1378
- Potential SystemNightmare Exploitation Attempt
- APT PRIVATELOG Image Load Pattern
- Moriya Rootkit File Created
- Potential BearLPE Exploitation