Adversaries may exploit CVE-2019-1053 to escape sandboxed environments and execute arbitrary code, indicating potential use of a zero-day vulnerability in security tools. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that evade traditional detection mechanisms.
KQL Query
//Find possible use of SandboxEscape (Internet Explorer 11 exploit)
DeviceFileEvents
| where FolderPath contains @".{0afaced1-e828-11d1-9187-b532f1e9575d}\"
and FileName endswith ".lnk"
id: c176e100-03cc-4b02-873b-d9686f354330
name: detect-cve-2019-1053-sandboxescape-exploit
description: |
This query was originally published in the threat analytics report, May 2019 0-day disclosures.
In May and June of 2019, a security researcher with the online alias, SandboxEscaper, discovered and published several elevation-of-privilege vulnerabilities on Github. The researcher included proofs-of-concept demonstrating how to exploit these vulnerabilities.
Patches and more information about each vulnerability are available below:
1. CVE-2019-0863 | Windows Error Reporting Elevation of Privilege Vulnerability
2. CVE-2019-1069 | Task Scheduler Elevation of Privilege Vulnerability
3. CVE-2019-1053 | Windows Shell Elevation of Privilege Vulnerability
4. CVE-2019-1064 | Windows Elevation of Privilege Vulnerability
5. CVE-2019-0973 | Windows Installer Elevation of Privilege Vulnerability
6. CVE-2019-1129 | Windows Elevation of Privilege Vulnerability
This query locates possible activity that exploits CVE-2019-1053 (also known as SandboxEscape), the third vulnerability listed above.
Reference - https://threatpost.com/sandboxescaper-more-exploits-ie-zero-day/145010/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileEvents
tactics:
- Privilege escalation
query: |
//Find possible use of SandboxEscape (Internet Explorer 11 exploit)
DeviceFileEvents
| where FolderPath contains @".{0afaced1-e828-11d1-9187-b532f1e9575d}\"
and FileName endswith ".lnk"
| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to automate the deployment of a Windows Update via a scheduled task.
Filter/Exclusion: Exclude processes where the command line includes wuauclt or wuauclt.exe and the parent process is a known system service (e.g., svchost.exe).
Scenario: A Windows Task Scheduler job is configured to run a script that interacts with the Windows Event Log to generate logs for compliance purposes.
Filter/Exclusion: Exclude events where the process name is schtasks.exe and the command line includes log or eventlog.
Scenario: A security tool like OSSEC or Microsoft Defender for Endpoint is performing a log analysis or threat hunting activity that involves querying system logs.
Filter/Exclusion: Exclude processes where the executable is a known security tool (e.g., ossec.exe, MsMpEng.exe) or where the command line includes terms like log, analyze, or threat.
Scenario: A system backup or snapshot process is initiated using VSS (Volume Shadow Copy Service), which may involve elevated privileges and process injection.
Filter/Exclusion: Exclude processes where the parent process is vssvc.exe or where the command line includes vssadmin or snapshot.
Scenario: A remote desktop session (RDP) is being used by an admin to perform a remote code execution task, such as deploying a patch or configuration change.
Filter/Exclusion: Exclude processes where the parent process is termsrv.exe and the user is a known admin or has a legitimate remote access justification.