Think you have a false positive on this rule?

Sid 1-45633

Message

OS-WINDOWS Microsoft Windows use after free win32kbase.sys privilege escalation attempt

Summary

This event is generated when an attacker attempts to exploit a user after free vulnerability present in the win32kbase.sys driver.

Impact

Attempted Administrative Privilege Gain

CVE-2018-0756:

CVSS base score 7.8

CVSS impact score 5.9

CVSS exploitability score 1.8

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Detailed information

Rule checks for an attempt to exploit a user after free vulnerability present in the win32kbase.sys driver. CVE-2018-0756: The Windows kernel in Windows 10 Gold, 1511, 1607, 1703 and 1709, Windows Server 2016 and Windows Server, version 1709 allows an elevation of privilege vulnerability due to the way objects are handled in memory, aka "Windows Kernel Elevation of Privilege Vulnerability". This CVE is unique from CVE-2018-0742, CVE-2018-0809, CVE-2018-0820 and CVE-2018-0843.

Affected systems

  • microsoft windows_10 -
  • microsoft windows_10 1511
  • microsoft windows_10 1607
  • microsoft windows_10 1703
  • microsoft windows_10 1709
  • microsoft windowsserver1709 -
  • microsoft windowsserver2016 -

Ease of attack

Hard

False positives

Not known

False negatives

Not known

Corrective action

Update to the latest patches seen here: portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0756.

Contributors

  • Cisco's Talos Intelligence Group

Additional References

  • portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0756