Adversaries may exploit the AngryPolarBearBug2 vulnerability in Azure environments to escalate privileges and maintain persistence. SOC teams should proactively hunt for this behavior to identify and mitigate potential compromise from advanced persistent threats leveraging this unpatched vulnerability.
KQL Query
//Find possible CVE-2019-0863 exploitation
DeviceProcessEvents
| where FileName =~ "schtasks.exe"
| where ProcessCommandLine contains "Windows Error Reporting"
and ProcessCommandLine contains "/run"
id: 8cc1b312-46c6-4f41-bc66-f8a12fac7e67
name: detect-cve-2019-0863-AngryPolarBearBug2-exploit
description: |
This query was originally published in the threat analytics report, May 2019 0-day disclosures.
In May and June of 2019, a security researcher with the online alias, SandboxEscaper, discovered and published several elevation-of-privilege vulnerabilities on Github. The researcher included proofs-of-concept demonstrating how to exploit these vulnerabilities.
Patches and more information about each vulnerability are available below:
1. CVE-2019-0863 | Windows Error Reporting Elevation of Privilege Vulnerability
2. CVE-2019-1069 | Task Scheduler Elevation of Privilege Vulnerability
3. CVE-2019-1053 | Windows Shell Elevation of Privilege Vulnerability
4. CVE-2019-1064 | Windows Elevation of Privilege Vulnerability
5. CVE-2019-0973 | Windows Installer Elevation of Privilege Vulnerability
6. CVE-2019-1129 | Windows Elevation of Privilege Vulnerability
This query locates possible activity that exploits CVE-2019-0863 (also known as AngryPolarBearBug2), the first vulnerability listed above.
Reference - https://threatpost.com/sandboxescaper-more-exploits-ie-zero-day/145010/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Privilege escalation
query: |
//Find possible CVE-2019-0863 exploitation
DeviceProcessEvents
| where FileName =~ "schtasks.exe"
| where ProcessCommandLine contains "Windows Error Reporting"
and ProcessCommandLine contains "/run"
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled system backup using Veeam Backup & Replication
Filter/Exclusion: Exclude processes initiated by veeambackup.exe or with command lines containing backup or snapshot.
Rationale: Veeam often executes similar network activity during backup operations, which can mimic exploit behavior.
Scenario: Admin performing a Windows Update via PowerShell
Filter/Exclusion: Exclude processes with powershell.exe and command lines containing Update-AppxProvisionedPackage or wuauclt.exe.
Rationale: Windows Update tasks can trigger network connections that resemble exploit traffic.
Scenario: Database replication using SQL Server Agent Jobs
Filter/Exclusion: Exclude processes associated with sqlservr.exe and jobs named Database Replication or with replication in the command line.
Rationale: SQL Server replication can generate network traffic that resembles malicious activity.
Scenario: Network monitoring tool (e.g., Wireshark) capturing traffic
Filter/Exclusion: Exclude processes with wireshark.exe or tshark.exe running in capture mode.
Rationale: Network monitoring tools often initiate similar network flows for packet capture.
Scenario: Legitimate use of Metasploit for penetration testing
Filter/Exclusion: Exclude processes with msfconsole.exe or msfcli.exe and command lines containing exploit or test.
Rationale: Penetration testing tools like Metasploit are commonly used in enterprise environments for security assessments.