Rule Category

OS-WINDOWS -- Snort has detected traffic targeting vulnerabilities in a Windows-based operating system. This does not include browser traffic or other software on the OS, but attacks against the OS itself. (such as?)

Alert Message

OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt

Rule Explanation

This event is generated when an attempt to get a privilege escalation in Windows, is detected Impact: High Details: Ease of Attack: Simple

What To Look For

when attacker tries to exploit CVE-2020-0788

Known Usage

No public information

False Positives

No known false positives

Contributors

Cisco Talos Intelligence Group

MITRE ATT&CK Framework

Tactic: Execution

Technique: User Execution

For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org

CVE

Additional Links

Rule Vulnerability

CVE Additional Information

CVE-2019-1396
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1393, CVE-2019-1394, CVE-2019-1395, CVE-2019-1408, CVE-2019-1434.
Details
SeverityHIGH Base Score7.2
Impact Score10.0 Exploit Score3.9
Confidentiality ImpactCOMPLETE Integrity ImpactCOMPLETE
Availability ImpactCOMPLETE Access VectorLOCAL
AuthenticationNONE Ease of AccessLOW
CVE-2020-0788
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0877, CVE-2020-0887.
Details
SeverityHIGH Base Score7.2
Impact Score10.0 Exploit Score3.9
Confidentiality ImpactCOMPLETE Integrity ImpactCOMPLETE
Availability ImpactCOMPLETE Access VectorLOCAL
AuthenticationNONE Ease of AccessLOW