The rule detects potential exploitation of the Windows ALPC elevation of privilege vulnerability (CVE-2018-8440), where an attacker may elevate privileges to run arbitrary code with higher access. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate local privilege escalation attempts that could lead to deeper network compromise.
KQL Query
DeviceFileEvents
| where Timestamp > ago(7d)
and FileName =~ "printconfig.dll"
and InitiatingProcessIntegrityLevel != "System"
and InitiatingProcessIntegrityLevel != "High"
and FolderPath contains @":\Windows"
id: 8f26a2c6-4c60-469c-ac7a-f4d1ccccab9f
name: locate-ALPC-local-privilege-elevation-exploit
description: |
This query was originally published in the threat analytics report, ALPC local privilege elevation.
Windows ALPC Elevation of Privilege Vulnerability, CVE-2018-8440, could be exploited to run arbitrary code or to gain access to protected directories and areas of the operating system.
This vulnerability was patched in the September 2018 Security Update.
The following query checks for potential activity related to this vulnerability over the past 7 days. If you wish to check another time period, update the EventTime value.
References:
https://nvd.nist.gov/vuln/detail/CVE-2018-8440
https://support.microsoft.com/help/4457143/windows-81-update-kb4457143
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileEvents
tactics:
- Privilege escalation
query: |
DeviceFileEvents
| where Timestamp > ago(7d)
and FileName =~ "printconfig.dll"
and InitiatingProcessIntegrityLevel != "System"
and InitiatingProcessIntegrityLevel != "High"
and FolderPath contains @":\Windows"
| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to remotely manage a server and inadvertently triggers the ALPC call due to a legitimate remote management task.
Filter/Exclusion: Check for ProcessName == "powershell.exe" and ParentProcessName == "task scheduler" or ParentProcessName == "remote desktop services".
Scenario: A scheduled task is configured to run a script that interacts with the ALPC interface as part of a legitimate system maintenance routine.
Filter/Exclusion: Filter by ProcessName == "schtasks.exe" or ProcessName == "taskhost.exe" and check for known maintenance scripts or paths in the CommandLine field.
Scenario: A Windows Update or Group Policy client service is making an ALPC call as part of its normal operation during system configuration.
Filter/Exclusion: Exclude processes with ProcessName == "svchost.exe" and check for known service names like wuauserv or gpsvc.
Scenario: A third-party application (e.g., Microsoft SQL Server or Exchange) uses ALPC for internal communication and triggers the rule due to normal inter-process communication.
Filter/Exclusion: Filter by ProcessName matching the known application (e.g., sqlservr.exe, msexch.exe) and exclude any calls that do not match known internal ALPC patterns.
Scenario: A security tool (e.g., Windows Defender, Microsoft Endpoint Detection and Response (EDR)) is performing a system scan and makes an ALPC call as part of its integrity checks.
Filter/Exclusion: Exclude processes with ProcessName == "WindowsDefender.exe" or ProcessName == "microsoft-edge.exe" and check for known security tool behaviors.