Merge pull request #202 from martyav/cve-2019-0808

tali-ash · web-flow · commit 032e0bffc624 · 2020-08-17T12:17:42.000+03:00
Added 3 files for cve-2019-0808
diff --git a/Privilege escalation/cve-2019-0808-c2.md b/Privilege escalation/cve-2019-0808-c2.md
@@ -0,0 +1,50 @@
+# Command and control associated with privilege escalation vulnerability, CVE-2019-0808
+
+This query was originally published in the threat analytics report, *Windows 7 zero-day for CVE-2019-0808*
+
+[CVE-2019-0808](https://nvd.nist.gov/vuln/detail/CVE-2019-0808) is a vulnerability that allows an attacker to escape the Windows security sandbox and run arbitrary code with admin privileges. This vulnerability affects Windows 7, Windows Server 2008, and Windows Server 2008 R2.
+
+Exploits for CVE-2019-0808 were first observed as part of highly selective attacks using the *[Nufsys](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/Nufsys.A&threatId=-2147233438)* backdoor. Although the Nufsys-associated exploit was first described as a zero-day, the issue has since been [patched](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0808).
+
+The following query detects possible CVE-2019-0808 exploitation by reporting network communication associated with the Nufsys attacks.
+
+## Query
+
+```Kusto
+//Network Communication to C&C 
+DeviceNetworkEvents 
+| where Timestamp > ago(14d) 
+| where RemoteUrl  in("luckluck.blog", "fffun-video.biz") //Dest Address DNS 
+or RemoteIP  == "63.141.233.82" //Destination Address 
+```
+
+## Category
+
+This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
+
+| Technique, tactic, or state | Covered? (v=yes) | Notes |
+|-|-|-|
+| Initial access |  |  |
+| Execution |  |  |
+| Persistence |  |  |
+| Privilege escalation | v |  |
+| Defense evasion |  |  |
+| Credential Access |  |  |
+| Discovery |  |  |
+| Lateral movement |  |  |
+| Collection |  |  |
+| Command and control | v |  |
+| Exfiltration |  |  |
+| Impact |  |  |
+| Vulnerability | v |  |
+| Misconfiguration |  |  |
+| Malware, component |  |  |
+
+## See also
+
+* [Backdoor associated with privilege escalation vulnerability, CVE-2019-0808](cve-2019-0808-nufsys-file-creation.md)
+* [Task creation associated with privilege escalation vulnerability, CVE-2019-0808](cve-2019-0808-set-scheduled-task.md)
+
+## Contributor info
+
+**Contributor:** Microsoft Threat Protection team
diff --git a/Privilege escalation/cve-2019-0808-nufsys-file creation.md b/Privilege escalation/cve-2019-0808-nufsys-file creation.md
@@ -0,0 +1,53 @@
+# Backdoor associated with privilege escalation vulnerability, CVE-2019-0808
+
+This query was originally published in the threat analytics report, *Windows 7 zero-day for CVE-2019-0808*
+
+[CVE-2019-0808](https://nvd.nist.gov/vuln/detail/CVE-2019-0808) is a vulnerability that allows an attacker to escape the Windows security sandbox and run arbitrary code with admin privileges. This vulnerability affects Windows 7, Windows Server 2008, and Windows Server 2008 R2.
+
+Exploits for CVE-2019-0808 were first observed as part of highly selective attacks using the *[Nufsys](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/Nufsys.A&threatId=-2147233438)* backdoor. Although the Nufsys-associated exploit was first described as a zero-day, the issue has since been [patched](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0808).
+
+The following query detects possible CVE-2019-0808 exploitation by finding suspicious file creation events associated with Nufsys.
+
+## Query
+
+```Kusto
+//File creation 
+DeviceFileEvents 
+| where Timestamp > ago(14d) 
+| where FolderPath  contains "temp" and  FileName in~("updata.exe", 
+"recovery_db.exe", "spsextserver.exe", "recoverydb.exe") 
+or SHA1 in("987cf95281a3f6449681148ea05e44115f74ccbc", 
+"6f465b791ab8ef289f20c412808af7ae331c87ab", 
+"d5c6c037735c4518fffcdac1026770d8d251c7c8") //File SHAs of above processes
+```
+
+## Category
+
+This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
+
+| Technique, tactic, or state | Covered? (v=yes) | Notes |
+|-|-|-|
+| Initial access |  |  |
+| Execution |  |  |
+| Persistence | v |  |
+| Privilege escalation | v |  |
+| Defense evasion |  |  |
+| Credential Access |  |  |
+| Discovery |  |  |
+| Lateral movement |  |  |
+| Collection |  |  |
+| Command and control |  |  |
+| Exfiltration |  |  |
+| Impact |  |  |
+| Vulnerability | v |  |
+| Misconfiguration |  |  |
+| Malware, component | v |  |
+
+## See also
+
+* [Command and control associated with privilege escalation vulnerability, CVE-2019-0808](cve-2019-0808-c2.md)
+* [Task creation associated with privilege escalation vulnerability, CVE-2019-0808](cve-2019-0808-set-scheduled-task.md)
+
+## Contributor info
+
+**Contributor:** Microsoft Threat Protection team
diff --git a/Privilege escalation/cve-2019-0808-set-scheduled-task.md b/Privilege escalation/cve-2019-0808-set-scheduled-task.md
@@ -0,0 +1,52 @@
+# Task creation associated with privilege escalation vulnerability, CVE-2019-0808
+
+This query was originally published in the threat analytics report, *Windows 7 zero-day for CVE-2019-0808*
+
+[CVE-2019-0808](https://nvd.nist.gov/vuln/detail/CVE-2019-0808) is a vulnerability that allows an attacker to escape the Windows security sandbox and run arbitrary code with admin privileges. This vulnerability affects Windows 7, Windows Server 2008, and Windows Server 2008 R2.
+
+Exploits for CVE-2019-0808 were first observed as part of highly selective attacks using the *[Nufsys](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/Nufsys.A&threatId=-2147233438)* backdoor. Although the Nufsys-associated exploit was first described as a zero-day, the issue has since been [patched](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0808).
+
+The following query detects possible CVE-2019-0808 exploitation by reporting scheduled task creation events associated with the Nufsys attacks.
+
+## Query
+
+```Kusto
+//Scheduled task creation 
+DeviceProcessEvents 
+| where Timestamp  > ago(14d) 
+| where FileName =~ "schtasks.exe"  
+| where ProcessCommandLine  contains "highest" and 
+(ProcessCommandLine contains "ecosetup" or 
+ProcessCommandLine contains "spsextserv.exe")
+```
+
+## Category
+
+This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
+
+| Technique, tactic, or state | Covered? (v=yes) | Notes |
+|-|-|-|
+| Initial access |  |  |
+| Execution |  |  |
+| Persistence | v |  |
+| Privilege escalation | v |  |
+| Defense evasion |  |  |
+| Credential Access |  |  |
+| Discovery |  |  |
+| Lateral movement |  |  |
+| Collection |  |  |
+| Command and control |  |  |
+| Exfiltration |  |  |
+| Impact |  |  |
+| Vulnerability | v |  |
+| Misconfiguration |  |  |
+| Malware, component |  |  |
+
+## See also
+
+* [Backdoor associated with privilege escalation vulnerability, CVE-2019-0808](cve-2019-0808-nufsys-file-creation.md)
+* [Command and control associated with privilege escalation vulnerability, CVE-2019-0808](cve-2019-0808-c2.md)
+
+## Contributor info
+
+**Contributor:** Microsoft Threat Protection team
