cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
New Contributor

CVE-2019-1388 Detection

Description: Privilege escalation in UAC due to hyperlink in Certificate - CVE-2019-1388

What The Data Shows: If successfully exploited, SYSTEM privilege will be obtained. This happens from consent.exe(if URL association is present otherwise openwith is called). Consent.exe called default browser with NT Authority\System Privilege. the query looks for same. One can add more browsers depending on their environment as child process.

 

query=((parent_name:openwith.exe OR parent_name:consent.exe) AND (childproc_name:firefox.exe OR childproc_name:chrome.exe OR childproc_name:iexplore.exe)) AND username:system

Tags (1)
0 Kudos
Reply
2 Replies
Highlighted
Carbon Black Employee

Re: CVE-2019-1388 Detection - Status changed to: Under Review

@mshahnawaz The Query Exchange is solely for CB LiveQuery queries. Your submission will be removed shortly, but thanks for contributing! 

0 Kudos
Reply
Community Manager
Community Manager

Re: CVE-2019-1388 Detection - Status changed to: Under Review

As @jnelson mentioned, I will be removing this post shortly.  Feel free to re-post this in the appropriate product forum if you'd like to share with others.

Thank you -- Ed.

0 Kudos
Reply