Think you have a false positive on this rule?

Sid 1-50967

Message

OS-WINDOWS Microsoft Windows CoreShellCOMServerRegistrar privilege escalation attempt

Summary

This event is generated when Snort detects an attempt to exploit CVE-2019-1184, a vulnerability in how Windows handles COM objects.

Impact

Code execution in an elevated context

Detailed information

Affected systems

  • Microsoft Windows 10 (prior to the Aug 2019 patch level)

Ease of attack

Medium

False positives

None known

False negatives

None known

Corrective action

Isolate the affected system and remediate it in accordance with your organization's incident response policy. Afterward, ensure the match is update to include the most recent security updates.

Contributors

  • Cisco Talos Intelligence Group

Additional References

  • CVE-2019-1184
  • portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1184