From 55e66b1843b2d35b5024d102d2ea23b9e93ceb42 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 20 Nov 2019 09:21:42 +0100 Subject: [PATCH 1/2] rule: added status --- rules/windows/process_creation/win_exploit_cve_2019_1388.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/win_exploit_cve_2019_1388.yml b/rules/windows/process_creation/win_exploit_cve_2019_1388.yml index 35147a01c..c77c12a07 100644 --- a/rules/windows/process_creation/win_exploit_cve_2019_1388.yml +++ b/rules/windows/process_creation/win_exploit_cve_2019_1388.yml @@ -1,5 +1,6 @@ title: Exploiting CVE-2019-1388 id: 02e0b2ea-a597-428e-b04a-af6a1a403e5c +status: experimental description: Detects an explotation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM references: - https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege From f9e6a929baa8c735198025cb46d2db8c12cddc57 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 20 Nov 2019 09:23:04 +0100 Subject: [PATCH 2/2] rule: made it more specific - command line must contain URL --- rules/windows/process_creation/win_exploit_cve_2019_1388.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/win_exploit_cve_2019_1388.yml b/rules/windows/process_creation/win_exploit_cve_2019_1388.yml index c77c12a07..d47bc56bc 100644 --- a/rules/windows/process_creation/win_exploit_cve_2019_1388.yml +++ b/rules/windows/process_creation/win_exploit_cve_2019_1388.yml @@ -16,6 +16,7 @@ detection: selection: ParentImage: '*\consent.exe' Image: '*\iexplore.exe' + CommandLine: '* http*' rights1: IntegrityLevel: 'System' # for Sysmon users rights2: