Adversaries may exploit the CVE-2019-1129 vulnerability in Microsoft Edge to execute arbitrary code, leveraging a zero-day flaw that was publicly disclosed in May 2019. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise from advanced threats exploiting this unpatched vulnerability before it is widely used in attacks.
KQL Query
//Find possible use of ByeBear (CVE-2019-1129)
DeviceProcessEvents
| where ProcessCommandLine contains
@"packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe"
and ProcessCommandLine contains"/S /Q"
and (ProcessCommandLine contains "rmdir" or ProcessCommandLine contains "del")
id: e9ff9991-7e5e-4bd4-8dea-e38db7e0027e
name: detect-cve-2019-1129-byebear-exploit
description: |
This query was originally published in the threat analytics report, May 2019 0-day disclosures.
In May and June of 2019, a security researcher with the online alias, SandboxEscaper, discovered and published several elevation-of-privilege vulnerabilities on Github. The researcher included proofs-of-concept demonstrating how to exploit these vulnerabilities.
Patches and more information about each vulnerability are available below:
1. CVE-2019-0863 | Windows Error Reporting Elevation of Privilege Vulnerability
2. CVE-2019-1069 | Task Scheduler Elevation of Privilege Vulnerability
3. CVE-2019-1053 | Windows Shell Elevation of Privilege Vulnerability
4. CVE-2019-1064 | Windows Elevation of Privilege Vulnerability
5. CVE-2019-0973 | Windows Installer Elevation of Privilege Vulnerability
6. CVE-2019-1129 | Windows Elevation of Privilege Vulnerability
This query locates possible activity that exploits CVE-2019-1129 (also known as ByeBear or CVE-2019-0841-Bypass 2), the sixth vulnerability listed above.
Reference - https://threatpost.com/sandboxescaper-more-exploits-ie-zero-day/145010/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Privilege escalation
query: |
//Find possible use of ByeBear (CVE-2019-1129)
DeviceProcessEvents
| where ProcessCommandLine contains
@"packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe"
and ProcessCommandLine contains"/S /Q"
and (ProcessCommandLine contains "rmdir" or ProcessCommandLine contains "del")
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance or Patching Tasks
Description: Automated patching tools like Microsoft’s Windows Update or third-party tools like WSUS may trigger network traffic similar to the exploit.
Filter/Exclusion: Exclude traffic originating from known patch management servers or IP ranges associated with enterprise patching infrastructure.
Scenario: Legitimate Use of PowerShell for System Administration
Description: Admins may use PowerShell scripts for routine tasks such as log analysis, system monitoring, or configuration management, which could resemble malicious activity.
Filter/Exclusion: Exclude PowerShell scripts executed from known admin workstations or those containing known benign command patterns.
Scenario: Network Discovery or Inventory Scanning Tools
Description: Tools like Nmap, Nessus, or SolarWinds LCE may perform network discovery or asset inventory scans, which could be mistaken for exploit traffic.
Filter/Exclusion: Exclude traffic from known network scanning tools or IP addresses associated with internal network discovery tools.
Scenario: Internal Code Signing or Software Distribution
Description: Internal code signing or software distribution tools (e.g., Jenkins, Bitbucket Pipelines, or internal CI/CD systems) may generate traffic that matches the exploit’s signature.
Filter/Exclusion: Exclude traffic from internal CI/CD systems or signed by internal code signing certificates.
Scenario: Legitimate Remote Administration Tools (RATs)
Description: Tools like TeamViewer, AnyDesk, or LogMeIn may be used for remote administration and could generate traffic similar to the exploit.
Filter/Exclusion: Exclude traffic from known remote access tools or from endpoints with known legitimate remote access tool usage.