Adversaries may bypass installer restrictions to execute malicious payloads by exploiting CVE-2019-0973, allowing unauthorized code execution on compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential lateral movement and persistence tactics used by advanced threats.
KQL Query
//Find possible use of InstallerBypass (Windows Installer Service exploit)
DeviceProcessEvents
| where FileName =~ "msiexec.exe"
| where ProcessCommandLine contains "/fa"
and ProcessCommandLine contains ":\\windows\\installer"
id: 9c721e08-0a1b-4baf-b3ea-262dc1831faa
name: detect-cve-2019-0973-installerbypass-exploit
description: |
This query was originally published in the threat analytics report, May 2019 0-day disclosures.
In May and June of 2019, a security researcher with the online alias, SandboxEscaper, discovered and published several elevation-of-privilege vulnerabilities on Github. The researcher included proofs-of-concept demonstrating how to exploit these vulnerabilities.
Patches and more information about each vulnerability are available below:
1. CVE-2019-0863 | Windows Error Reporting Elevation of Privilege Vulnerability
2. CVE-2019-1069 | Task Scheduler Elevation of Privilege Vulnerability
3. CVE-2019-1053 | Windows Shell Elevation of Privilege Vulnerability
4. CVE-2019-1064 | Windows Elevation of Privilege Vulnerability
5. CVE-2019-0973 | Windows Installer Elevation of Privilege Vulnerability
6. CVE-2019-1129 | Windows Elevation of Privilege Vulnerability
This query locates possible activity that exploits CVE-2019-0973 (also known as InstallerBypass), the fifth vulnerability listed above.
Reference - https://threatpost.com/sandboxescaper-more-exploits-ie-zero-day/145010/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Privilege escalation
query: |
//Find possible use of InstallerBypass (Windows Installer Service exploit)
DeviceProcessEvents
| where FileName =~ "msiexec.exe"
| where ProcessCommandLine contains "/fa"
and ProcessCommandLine contains ":\\windows\\installer"
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using msiexec for software updates
Description: A scheduled task runs msiexec to install a legitimate software update, which may trigger the rule due to the use of msiexec and potential command-line arguments.
Filter/Exclusion: Check for CommandLine containing --log or --quiet and ensure the file path points to a known enterprise update repository (e.g., \\server\updates\).
Scenario: System administrator using msiexec to deploy a patch manually
Description: An admin manually runs msiexec to install a patch on a workstation, which may be flagged due to the use of msiexec and the presence of a suspicious command-line argument.
Filter/Exclusion: Filter by User field to include only admin accounts (e.g., Administrator) and check for CommandLine containing --passive or --norestart.
Scenario: Enterprise software deployment using SCCM or similar tools
Description: A deployment tool like SCCM or Microsoft Endpoint Configuration Manager uses msiexec to install software across the network, which may trigger the rule due to the use of msiexec and the presence of a command-line argument.
Filter/Exclusion: Check for ProcessName matching msiexec.exe and ensure the ParentProcess is a known deployment tool (e.g., ccmexec.exe or setup.exe).
Scenario: Legitimate use of msiexec for installing a trusted application
Description: A user or admin installs a trusted application (e.g., Adobe Reader, Java) using msiexec, which may be flagged due to the use of msiexec and the presence of a command-line argument