Think you have a false positive on this rule?

Sid 1-49173

Message

OS-WINDOWS Microsoft Windows kernel information disclosure attempt

Summary

This event is generated when an attempt to download an executable file containing a Windows Kernel information disclosure exploit is made.

Impact

CVE-2019-0621:

CVSS base score 5.5

CVSS impact score 3.6

CVSS exploitability score 1.8

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Detailed information

This rule triggers when a Microsoft Windows executable containing a malicious call to NtAdjustGroupsToken is seen. The malicious call has the potential to disclose kernel memory to the user land program and allow for further exploitation. CVE-2019-0621: An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory, aka 'Windows Kernel Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2019-0661, CVE-2019-0663.

Affected systems

  • microsoft windows_10 -
  • microsoft windows_10 1607
  • microsoft windows_10 1703
  • microsoft windows_10 1709
  • microsoft windows_10 1803
  • microsoft windows_10 1809
  • microsoft windows_7 -
  • microsoft windows_8.1 -
  • microsoft windowsrt8.1 -
  • microsoft windowsserver2008 -
  • microsoft windowsserver2008 r2
  • microsoft windowsserver2012 -
  • microsoft windowsserver2012 r2
  • microsoft windowsserver2016 -
  • microsoft windowsserver2016 1709
  • microsoft windowsserver2016 1803
  • microsoft windowsserver2019 -

Ease of attack

CVE-2019-0621:

Access Vector

Access Complexity

Authentication

False positives

False negatives

Corrective action

Contributors

  • Cisco Talos Intelligence Group

Additional References

  • portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0621
  • portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0767