Think you have a false positive on this rule?

Sid 1-52206

Message

OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt

Summary

This event is generated when an attempt to corrupt the memory of a Windows Kernel driver is performed via a malicious printer driver

Impact

Local Privilege Escalation

Detailed information

The Windows Win32k.sys kernel driver is vulnerable to a memory corruption error that could lead to a local privilege escalation. By creating a malicious user-mode printer driver an attacker is able to corrupt the memory of the Windows system and obtain privileges that they should otherwise not have.

Affected systems

  • Windows 7

Ease of attack

Medium

False positives

False negatives

Corrective action

Apply patch and system updates.

Contributors

  • Cisco Talos Intelligence Group

Additional References

  • CVE-2019-1393
  • portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1393