Merge pull request #536 from Neo23x0/devel

Changes to CVE-2019-1388 rule
2019-11-20 09:27:56 +01:00
parent 0b9cd47c1e f9e6a929ba
commit 00a26dff16
1 changed files with 2 additions and 0 deletions
@@ -1,5 +1,6 @@
 title: Exploiting CVE-2019-1388
 id: 02e0b2ea-a597-428e-b04a-af6a1a403e5c
+status: experimental
 description: Detects an explotation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM
 references:
    - https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege
@@ -15,6 +16,7 @@ detection:
    selection:
        ParentImage: '*\consent.exe'
        Image: '*\iexplore.exe'
+        CommandLine: '* http*'
    rights1:
        IntegrityLevel: 'System'  # for Sysmon users
    rights2: