Rule Category

OS-WINDOWS -- Snort has detected traffic targeting vulnerabilities in a Windows-based operating system. This does not include browser traffic or other software on the OS, but attacks against the OS itself. (such as?)

Alert Message

OS-WINDOWS Microsoft Windows win32k.sys remote code execution attempt

Rule Explanation

The Windows Kernel is susceptible to vulnerable privilege escalation when an attacker attempts to call a device driver context using invalid parameters.

What To Look For

This rule is triggered when an attempt to perform a local privilege escalation against the Windows Kernel is seen.

Known Usage

No public information

False Positives

No known false positives


Cisco Talos Intelligence Group

Rule Groups

No rule groups


Additional Links

Rule Vulnerability

CVE Additional Information

An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-1207, CVE-2020-1247, CVE-2020-1253, CVE-2020-1310.
Severity Base Score6.7
Impact Score5.9 Exploit Score0.8
Confidentiality ImpactHIGH Integrity ImpactHIGH
Availability ImpactHIGH Attack VectorLOCAL
ScopeUNCHANGED User InteractionNONE
Authentication Ease of AccessLOW
Privileges RequiredHIGH

MITRE ATT&CK Framework

Tactic: Privilege Escalation

Technique: Access Token Manipulation

For reference, see the MITRE ATT&CK vulnerability types here: