Think you have a false positive on this rule?

Sid 1-46905

Message

INDICATOR-COMPROMISE Microsoft Windows malicious CONTEXT structure creation attempt

Summary

This event is generated when shellcode is detected that creates a malicious CONTEXT structure.

Impact

Attempted User Privilege Gain

CVE-2018-8897:

CVSS base score 7.8

CVSS impact score 5.9

CVSS exploitability score 1.8

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Detailed information

CVE-2018-8897: A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, macOS, some Xen configurations, or FreeBSD, or a Linux kernel crash. The MOV to SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A; section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV to SS or POP to SS instruction itself.) Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol. 3A; section 2.3). If the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at CPL < 3, the debug exception is delivered after the transfer to CPL < 3 is complete. OS kernels may not expect this order of events and may therefore experience unexpected behavior when it occurs.

Affected systems

  • citrix xenserver 6.0.2
  • citrix xenserver 6.2.0
  • citrix xenserver 6.5
  • citrix xenserver 7.0
  • citrix xenserver 7.1
  • citrix xenserver 7.2
  • citrix xenserver 7.3
  • citrix xenserver 7.4
  • synology skynas -
  • synology diskstation_manager 5.2
  • synology diskstation_manager 6.0
  • synology diskstation_manager 6.1
  • apple macosx -
  • apple macosx 10.0
  • apple macosx 10.0.0
  • apple macosx 10.0.1
  • apple macosx 10.0.2
  • apple macosx 10.0.3
  • apple macosx 10.0.4
  • apple macosx 10.1
  • apple macosx 10.1.0
  • apple macosx 10.1.1
  • apple macosx 10.1.2
  • apple macosx 10.1.3
  • apple macosx 10.1.4
  • apple macosx 10.1.5
  • apple macosx 10.2
  • apple macosx 10.2.0
  • apple macosx 10.2.1
  • apple macosx 10.2.2
  • apple macosx 10.2.3
  • apple macosx 10.2.4
  • apple macosx 10.2.5
  • apple macosx 10.2.6
  • apple macosx 10.2.7
  • apple macosx 10.2.8
  • apple macosx 10.3
  • apple macosx 10.3.0
  • apple macosx 10.3.1
  • apple macosx 10.3.2
  • apple macosx 10.3.3
  • apple macosx 10.3.4
  • apple macosx 10.3.5
  • apple macosx 10.3.6
  • apple macosx 10.3.7
  • apple macosx 10.3.8
  • apple macosx 10.3.9
  • apple macosx 10.4
  • apple macosx 10.4.0
  • apple macosx 10.4.1
  • apple macosx 10.4.2
  • apple macosx 10.4.3
  • apple macosx 10.4.4
  • apple macosx 10.4.5
  • apple macosx 10.4.6
  • apple macosx 10.4.7
  • apple macosx 10.4.8
  • apple macosx 10.4.9
  • apple macosx 10.4.10
  • apple macosx 10.4.11
  • apple macosx 10.5
  • apple macosx 10.5.0
  • apple macosx 10.5.1
  • apple macosx 10.5.2
  • apple macosx 10.5.3
  • apple macosx 10.5.4
  • apple macosx 10.5.5
  • apple macosx 10.5.6
  • apple macosx 10.5.7
  • apple macosx 10.5.8
  • apple macosx 10.6.0
  • apple macosx 10.6.1
  • apple macosx 10.6.2
  • apple macosx 10.6.3
  • apple macosx 10.6.4
  • apple macosx 10.6.5
  • apple macosx 10.6.6
  • apple macosx 10.6.7
  • apple macosx 10.6.8
  • apple macosx 10.7.0
  • apple macosx 10.7.1
  • apple macosx 10.7.2
  • apple macosx 10.7.3
  • apple macosx 10.7.4
  • apple macosx 10.7.5
  • apple macosx 10.8.0
  • apple macosx 10.8.1
  • apple macosx 10.8.2
  • apple macosx 10.8.3
  • apple macosx 10.8.4
  • apple macosx 10.8.5
  • apple macosx 10.9
  • apple macosx 10.9.1
  • apple macosx 10.9.2
  • apple macosx 10.9.3
  • apple macosx 10.9.4
  • apple macosx 10.9.5
  • apple macosx 10.10.0
  • apple macosx 10.10.1
  • apple macosx 10.10.2
  • apple macosx 10.10.3
  • apple macosx 10.10.4
  • apple macosx 10.10.5
  • apple macosx 10.11.0
  • apple macosx 10.11.1
  • apple macosx 10.11.2
  • apple macosx 10.11.3
  • apple macosx 10.11.4
  • apple macosx 10.11.5
  • apple macosx 10.11.6
  • apple macosx 10.12.0
  • apple macosx 10.12.1
  • apple macosx 10.12.2
  • apple macosx 10.12.3
  • apple macosx 10.12.4
  • apple macosx 10.12.5
  • apple macosx 10.12.6
  • apple macosx 10.13
  • apple macosx 10.13.0
  • apple macosx 10.13.1
  • apple macosx 10.13.2
  • apple macosx 10.13.3
  • canonical ubuntu_linux 14.04
  • canonical ubuntu_linux 16.04
  • canonical ubuntu_linux 17.10
  • debian debian_linux 7.0
  • debian debian_linux 8.0
  • debian debian_linux 9.0
  • redhat enterpriselinuxserver 7.0
  • redhat enterpriselinuxworkstation 7.0
  • redhat enterprisevirtualizationmanager 3.0
  • xen xen -

Ease of attack

CVE-2018-8897:

Access Vector

Access Complexity

Authentication

False positives

False negatives

Corrective action

Contributors

  • Cisco's Talos Intelligence Group

Additional References