Think you have a false positive on this rule?

Sid 1-49173


OS-WINDOWS Microsoft Windows kernel information disclosure attempt


This event is generated when an attempt to download an executable file containing a Windows Kernel information disclosure exploit is made.



CVSS base score 5.5

CVSS impact score 3.6

CVSS exploitability score 1.8

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Detailed information

This rule triggers when a Microsoft Windows executable containing a malicious call to NtAdjustGroupsToken is seen. The malicious call has the potential to disclose kernel memory to the user land program and allow for further exploitation. CVE-2019-0621: An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory, aka 'Windows Kernel Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2019-0661, CVE-2019-0663.

Affected systems

  • microsoft windows_10 -
  • microsoft windows_10 1607
  • microsoft windows_10 1703
  • microsoft windows_10 1709
  • microsoft windows_10 1803
  • microsoft windows_10 1809
  • microsoft windows_7 -
  • microsoft windows_8.1 -
  • microsoft windowsrt8.1 -
  • microsoft windowsserver2008 -
  • microsoft windowsserver2008 r2
  • microsoft windowsserver2012 -
  • microsoft windowsserver2012 r2
  • microsoft windowsserver2016 -
  • microsoft windowsserver2016 1709
  • microsoft windowsserver2016 1803
  • microsoft windowsserver2019 -

Ease of attack


Access Vector

Access Complexity


False positives

False negatives

Corrective action


  • Cisco Talos Intelligence Group

Additional References