Potential Exploitation of CVE-2022-21919 or CVE-2021-34484 for LPE

 1title: Potential Exploitation of CVE-2022-21919 or CVE-2021-34484 for LPE
 2id: 52a85084-6989-40c3-8f32-091e12e17692
 3status: test
 4description: |
 5    Detects potential exploitation attempts of CVE-2022-21919 or CVE-2021-34484 leading to local privilege escalation via the User Profile Service.
 6    During exploitation of this vulnerability, two logs (Provider_Name: Microsoft-Windows-User Profiles Service) with EventID 1511 and 1515 are created (EventID 1515 may generate many false positives).
 7    Additionally, the directory \Users\TEMP may be created during exploitation. This behavior was observed on Windows Server 2008.    
 8references:
 9    - https://packetstormsecurity.com/files/166692/Windows-User-Profile-Service-Privlege-Escalation.html
10author: Cybex
11date: 2022-08-16
12modified: 2025-11-03
13tags:
14    - attack.execution
15    - detection.emerging-threats
16    - cve.2022-21919
17    - cve.2021-34484
18logsource:
19    product: windows
20    service: application
21detection:
22    selection:
23        EventID: 1511
24        Provider_Name: 'Microsoft-Windows-User Profiles Service'
25    condition: selection
26falsepositives:
27    - Corrupted user profiles - https://social.technet.microsoft.com/wiki/contents/articles/3571.windows-user-profiles-service-event-1511-windows-cannot-find-the-local-profile-and-is-logging-you-on-with-a-temporary-profile.aspx
28level: low