The detection identifies an adversary leveraging the CVE-2019-0808 vulnerability to escape a Windows security sandbox by creating a scheduled task. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential sandbox evasion tactics and prevent further exploitation in controlled environments.
KQL Query
//Scheduled task creation
DeviceProcessEvents
| where Timestamp > ago(14d)
| where FileName =~ "schtasks.exe"
| where ProcessCommandLine contains "highest" and
(ProcessCommandLine contains "ecosetup" or
ProcessCommandLine contains "spsextserv.exe")
id: 80cb5ddb-baf2-4eb2-9751-8f77c072eb4d
name: cve-2019-0808-set-scheduled-task
description: |
This query was originally published in the threat analytics report, Windows 7 zero-day for CVE-2019-0808
CVE-2019-0808 is a vulnerability that allows an attacker to escape the Windows security sandbox and run arbitrary code with admin privileges. This vulnerability affects Windows 7, Windows Server 2008, and Windows Server 2008 R2.
Exploits for CVE-2019-0808 were first observed as part of highly selective attacks using the Nufsys backdoor. Although the Nufsys-associated exploit was first described as a zero-day, the issue has since been patched.
The following query detects possible CVE-2019-0808 exploitation by reporting scheduled task creation events associated with the Nufsys attacks.
References:
https://nvd.nist.gov/vuln/detail/CVE-2019-0808
https://portal.msrc.microsoft.com/security-guidance/advisory/CVE-2019-0808
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Persistence
- Privilege escalation
- Vulnerability
query: |
//Scheduled task creation
DeviceProcessEvents
| where Timestamp > ago(14d)
| where FileName =~ "schtasks.exe"
| where ProcessCommandLine contains "highest" and
(ProcessCommandLine contains "ecosetup" or
ProcessCommandLine contains "spsextserv.exe")
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Task for System Maintenance
Description: A system administrator creates a scheduled task using schtasks.exe to run a legitimate maintenance script (e.g., disk cleanup or log rotation).
Filter/Exclusion: Exclude tasks created by known admin accounts (e.g., Administrator, SYSTEM) or tasks that match known maintenance scripts (e.g., cleanmgr.exe, logman.exe).
Example Filter: process.parent_process != "schtasks.exe" OR process.name IN ("cleanmgr.exe", "logman.exe")
Scenario: Regular Patching or Update Task
Description: A scheduled task is configured to run Windows Update or a third-party patching tool (e.g., wuauclt.exe, msiexec.exe) as part of routine maintenance.
Filter/Exclusion: Exclude tasks that run during scheduled maintenance windows or use known patching tools.
Example Filter: process.name IN ("wuauclt.exe", "msiexec.exe") OR process.parent_process IN ("task scheduler", "schtasks.exe")
Scenario: Automated Backup Job Using VSS
Description: A backup tool (e.g., vssadmin.exe, wbadmin.exe) runs a scheduled backup job that creates a volume shadow copy.
Filter/Exclusion: Exclude processes associated with backup tools or volume shadow copy operations.
Example Filter: process.name IN ("vssadmin.exe", "wbadmin.exe") OR process.parent_process IN ("vssadmin.exe", "wbadmin.exe")
Scenario: User-Initiated Task Scheduler Job
Description: A user manually schedules a task using schtasks.exe to run a legitimate script or application (e.g., powershell.exe, cmd.exe).
**Filter