The hypothesis is that the detection rule identifies potential exploitation of CVE-2019-0808 through the creation of suspicious nufsys files, which could indicate an attacker escaping a security sandbox. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate zero-day attacks targeting Windows 7 environments.
KQL Query
//File creation
DeviceFileEvents
| where Timestamp > ago(14d)
| where FolderPath contains "temp" and FileName in~("updata.exe",
"recovery_db.exe", "spsextserver.exe", "recoverydb.exe")
or SHA1 in("987cf95281a3f6449681148ea05e44115f74ccbc",
"6f465b791ab8ef289f20c412808af7ae331c87ab",
"d5c6c037735c4518fffcdac1026770d8d251c7c8") //File SHAs of above processes
id: 447cdff3-2bfc-4f7a-b718-048d6d0ebd87
name: cve-2019-0808-nufsys-file creation
description: |
This query was originally published in the threat analytics report, Windows 7 zero-day for CVE-2019-0808
CVE-2019-0808 is a vulnerability that allows an attacker to escape the Windows security sandbox and run arbitrary code with admin privileges. This vulnerability affects Windows 7, Windows Server 2008, and Windows Server 2008 R2.
Exploits for CVE-2019-0808 were first observed as part of highly selective attacks using the Nufsys backdoor. Although the Nufsys-associated exploit was first described as a zero-day, the issue has since been patched.
The following query detects possible CVE-2019-0808 exploitation by finding suspicious file creation events associated with Nufsys.
References:
https://nvd.nist.gov/vuln/detail/CVE-2019-0808
https://portal.msrc.microsoft.com/security-guidance/advisory/CVE-2019-0808
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileEvents
tactics:
- Persistence
- Privilege escalation
- Vulnerability
- Malware, component
query: |
//File creation
DeviceFileEvents
| where Timestamp > ago(14d)
| where FolderPath contains "temp" and FileName in~("updata.exe",
"recovery_db.exe", "spsextserver.exe", "recoverydb.exe")
or SHA1 in("987cf95281a3f6449681148ea05e44115f74ccbc",
"6f465b791ab8ef289f20c412808af7ae331c87ab",
"d5c6c037735c4518fffcdac1026770d8d251c7c8") //File SHAs of above processes
| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Legitimate system file creation via Windows Update
Description: A system file related to a Windows update is created in the C:\Windows\Temp directory as part of the update process.
Filter/Exclusion: Check the file name against known Windows update files (e.g., wusa.exe, WindowsUpdate.log) or use a filter like:
file_name not in ('WindowsUpdate.log', 'wusa.exe', 'setup.exe')Scenario: Scheduled Task Creating Temporary Files
Description: A legitimate scheduled task (e.g., Task Scheduler) creates temporary files in the system temp directory during routine maintenance.
Filter/Exclusion: Filter by process name or user context, such as:
process_name not in ('schtasks.exe', 'taskhost.exe') or user not in ('SYSTEM')Scenario: Admin Using PowerShell to Generate Temporary Files
Description: An administrator uses PowerShell to generate temporary files for script execution or debugging.
Filter/Exclusion: Filter by process name or command line, such as:
process_name not in ('powershell.exe') or command_line not like '*New-Item*'Scenario: Antivirus or EDR Tool Creating Temporary Files
Description: A security tool (e.g., Microsoft Defender, CrowdStrike, or CrowdStrike Falcon) creates temporary files during scanning or analysis.
Filter/Exclusion: Filter by process name or vendor, such as:
process_name not in ('MsMpEng.exe', 'falcon.exe', 'mpsvc.exe')Scenario: User-Initiated File Creation for Software Installation
Description: A user installs software that creates temporary files in the system temp