The hypothesis is that an adversary is exploiting CVE-2019-0808 to escape a Windows security sandbox, indicating potential privilege escalation or evasion of detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats leveraging zero-day vulnerabilities in legacy systems.
KQL Query
//Network Communication to C&C
DeviceNetworkEvents
| where Timestamp > ago(14d)
| where RemoteUrl in("luckluck.blog", "fffun-video.biz") //Dest Address DNS
or RemoteIP == "63.141.233.82" //Destination Address
id: 0be1295f-b417-477b-95d1-82ce7c43fa03
name: cve-2019-0808-c2
description: |
This query was originally published in the threat analytics report, Windows 7 zero-day for CVE-2019-0808
CVE-2019-0808 is a vulnerability that allows an attacker to escape the Windows security sandbox and run arbitrary code with admin privileges. This vulnerability affects Windows 7, Windows Server 2008, and Windows Server 2008 R2.
Exploits for CVE-2019-0808 were first observed as part of highly selective attacks using the Nufsys backdoor. Although the Nufsys-associated exploit was first described as a zero-day, the issue has since been patched.
The following query detects possible CVE-2019-0808 exploitation by reporting network communication associated with the Nufsys attacks.
References:
https://nvd.nist.gov/vuln/detail/CVE-2019-0808
https://portal.msrc.microsoft.com/security-guidance/advisory/CVE-2019-0808
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
tactics:
- Privilege escalation
- Command and control
- Vulnerability
query: |
//Network Communication to C&C
DeviceNetworkEvents
| where Timestamp > ago(14d)
| where RemoteUrl in("luckluck.blog", "fffun-video.biz") //Dest Address DNS
or RemoteIP == "63.141.233.82" //Destination Address
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task running on Windows 7 that performs system updates or disk cleanup may trigger the rule due to similar process behavior.
Filter/Exclusion: process.name != "wusa.exe" or process.name != "dism.exe"
Scenario: Microsoft Update Agent (wusa.exe)
Description: The Windows Update Standalone Setup (wusa.exe) is often used to install updates and may exhibit behavior similar to the exploit.
Filter/Exclusion: process.name != "wusa.exe"
Scenario: Windows Defender Scan
Description: Windows Defender may perform scans that involve similar process execution patterns, especially during full system scans.
Filter/Exclusion: process.name != "MsMpEng.exe"
Scenario: Admin Task for System Configuration
Description: An administrator may run a script or tool like PsExec or PSTools to remotely configure system settings, which could trigger the rule.
Filter/Exclusion: process.name != "psexec.exe" or process.name != "PsExec.exe"
Scenario: Legitimate Software Installation
Description: Installing enterprise software (e.g., Microsoft Office, Adobe products) may involve processes that mimic exploit behavior during installation.
Filter/Exclusion: process.name != "msiexec.exe" or process.name != "setup.exe"