Rule Category

OS-WINDOWS -- Snort has detected traffic targeting vulnerabilities in a Windows-based operating system. This does not include browser traffic or other software on the OS, but attacks against the OS itself. (such as?)

Alert Message

OS-WINDOWS Microsoft Windows COM Desktop Broker sandbox escape attempt

Rule Explanation

This event is generated when a DLL that exploits the vulnerability outlined in CVE-2019-0552 is detected. Impact: Sandbox escape Details: Ease of Attack:

What To Look For

This rule fires on an executable that allows an attacker to escalate their privileges.

Known Usage

No public information

False Positives

No known false positives

Contributors

Cisco Talos Intelligence Group

MITRE ATT&CK Framework

Tactic: Privilege Escalation

Technique: Exploitation for Privilege Escalation

For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org

CVE

Additional Links

Rule Vulnerability

Escalation of Privilege

An Escalation of Privilege (EOP) attack is any attack method that results in a user or application gaining permissions to access resources they normally would not have access to.

CVE Additional Information

CVE-2019-0552
An elevation of privilege exists in Windows COM Desktop Broker, aka "Windows COM Elevation of Privilege Vulnerability." This affects Windows Server 2012 R2, Windows RT 8.1, Windows Server 2019, Windows Server 2016, Windows 8.1, Windows 10, Windows 10 Servers.
Details
Severity Base Score8.8
Impact Score6.0 Exploit Score2.0
Confidentiality ImpactHIGH Integrity ImpactHIGH
Availability ImpactHIGH Access Vector
Authentication Ease of Access