Think you have a false positive on this rule?

Sid 1-50364

Message

OS-WINDOWS Microsoft Windows win32k NtGdiExtFloodFill memory corruption attempt

Summary

This event is generated when an attacker attempts to exploit an elevation of privilege vulnerability in Microsoft Windows.

Impact

Attempted Administrator Privilege Gain

Detailed information

This rule fires when an attacker attempts to exploit an elevation of privilege vulnerability in Microsoft Windows' win32k driver.

Affected systems

Ease of attack

False positives

Not known

False negatives

Not known

Corrective action

Contributors

  • Cisco Talos Intelligence Group

Additional References

  • CVE-2019-1017
  • portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1017