Adversaries may exploit the CVE-2019-1069 vulnerability in Microsoft Edge to execute arbitrary code through a maliciously crafted PDF file. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential exploitation of a zero-day vulnerability before it is widely used in active attacks.
KQL Query
//Find possible use of BearLPE (Task Scheduler exploit)
DeviceFileEvents
| where FileName =~ "schtasks.exe"
| where InitiatingProcessCommandLine contains "/change"
and InitiatingProcessCommandLine contains " /TN "
and InitiatingProcessCommandLine contains " /RU "
and InitiatingProcessCommandLine contains " /RP "
and InitiatingProcessCommandLine !contains " /S "
and InitiatingProcessCommandLine !contains " /ST "
and InitiatingProcessCommandLine !contains " /SD "
and InitiatingProcessIntegrityLevel !in ("", "High", "System")
id: d82cdd92-4818-4f55-9e14-68021c154cdb
name: detect-cve-2019-1069-bearlpe-exploit
description: |
This query was originally published in the threat analytics report, May 2019 0-day disclosures.
In May and June of 2019, a security researcher with the online alias, SandboxEscaper, discovered and published several elevation-of-privilege vulnerabilities on Github. The researcher included proofs-of-concept demonstrating how to exploit these vulnerabilities.
Patches and more information about each vulnerability are available below:
1. CVE-2019-0863 | Windows Error Reporting Elevation of Privilege Vulnerability
2. CVE-2019-1069 | Task Scheduler Elevation of Privilege Vulnerability
3. CVE-2019-1053 | Windows Shell Elevation of Privilege Vulnerability
4. CVE-2019-1064 | Windows Elevation of Privilege Vulnerability
5. CVE-2019-0973 | Windows Installer Elevation of Privilege Vulnerability
6. CVE-2019-1129 | Windows Elevation of Privilege Vulnerability
This query locates possible activity that exploits CVE-2019-1069 (also known as BearLPE), the second vulnerability listed above.
Reference - https://threatpost.com/sandboxescaper-more-exploits-ie-zero-day/145010/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileEvents
tactics:
- Privilege escalation
query: |
//Find possible use of BearLPE (Task Scheduler exploit)
DeviceFileEvents
| where FileName =~ "schtasks.exe"
| where InitiatingProcessCommandLine contains "/change"
and InitiatingProcessCommandLine contains " /TN "
and InitiatingProcessCommandLine contains " /RU "
and InitiatingProcessCommandLine contains " /RP "
and InitiatingProcessCommandLine !contains " /S "
and InitiatingProcessCommandLine !contains " /ST "
and InitiatingProcessCommandLine !contains " /SD "
and InitiatingProcessIntegrityLevel !in ("", "High", "System")
| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled backup job using msiexec
Description: A scheduled backup task uses msiexec to install a legitimate backup tool, which may trigger the rule due to the presence of msiexec in the process chain.
Filter/Exclusion: Check for the presence of known backup tools (e.g., Veeam, Acronis) in the command line or process name. Exclude processes with backup, restore, or snapshot in the command line.
Scenario: System update using Windows Update or Group Policy
Description: A system update via Windows Update or Group Policy may involve msiexec to install patches, which could be flagged by the rule.
Filter/Exclusion: Filter events where the process is associated with wuauclt.exe (Windows Update) or gupdate.exe (Group Policy). Exclude processes with update, patch, or servicepack in the command line.
Scenario: Admin task using msiexec to deploy a legitimate application
Description: An administrator uses msiexec to deploy a legitimate enterprise application (e.g., Microsoft Office, Adobe Reader) via a script or group policy.
Filter/Exclusion: Check for the presence of known enterprise software in the command line (e.g., AdobeReader, MicrosoftOffice). Exclude processes initiated by gpupdate or schtasks.
Scenario: Malware analysis or sandbox environment
Description: A security analyst is running a malware analysis tool (e.g., Cuckoo Sandbox, Joe Sandbox) that uses msiexec to execute payloads for analysis, which may trigger the rule.
Filter/Exclusion: Filter events from known sandbox environments (e.g., sandbox, vm, analysis). Exclude