From dbd97647f6fe5a5b5fbddea4d3fbc94afe4c256a Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 27 Nov 2020 12:22:04 -0300 Subject: [PATCH] Remove Additional backslash and update logic --- .../win_exploit_cve_2019_1378.yml | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/rules/windows/process_creation/win_exploit_cve_2019_1378.yml b/rules/windows/process_creation/win_exploit_cve_2019_1378.yml index 0a2837c40..ef8256895 100644 --- a/rules/windows/process_creation/win_exploit_cve_2019_1378.yml +++ b/rules/windows/process_creation/win_exploit_cve_2019_1378.yml @@ -4,7 +4,7 @@ status: experimental description: Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd decribed in CVE-2019-1378 references: - https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua -author: Florian Roth +author: Florian Roth, oscd.community, Jonhnathan Ribeiro date: 2019/11/15 modified: 2020/08/29 tags: @@ -19,15 +19,19 @@ logsource: product: windows detection: selection: - ParentCommandLine|endswith: - - '\cmd.exe /c C:\Windows\Setup\Scripts\SetupComplete.cmd' - - '\cmd.exe /c C:\Windows\Setup\Scripts\PartnerSetupComplete.cmd' + ParentCommandLine|contains|all: + - '\cmd.exe' + - '/c' + - 'C:\Windows\Setup\Scripts\' + ParentCommandLine|endswith: + - 'SetupComplete.cmd' + - 'PartnerSetupComplete.cmd' filter: Image|startswith: - - 'C:\Windows\System32\\' - - 'C:\Windows\SysWOW64\\' - - 'C:\Windows\WinSxS\\' - - 'C:\Windows\Setup\\' + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' + - 'C:\Windows\WinSxS\' + - 'C:\Windows\Setup\' condition: selection and not filter falsepositives: - Unknown