EXPLORE
Sign In
← Back to Explore
kqlHunting

Detect CVE-2019-1069 (BearLPE) exploit

This query was originally published in the threat analytics report, **May 2019 0-day disclosures**.

Detection Query

//Find possible use of BearLPE (Task Scheduler exploit)
DeviceFileEvents
| where FileName =~ "schtasks.exe"
| where InitiatingProcessCommandLine contains "/change"
and InitiatingProcessCommandLine contains " /TN "
and InitiatingProcessCommandLine contains " /RU "
and InitiatingProcessCommandLine contains " /RP "
and InitiatingProcessCommandLine !contains " /S "
and InitiatingProcessCommandLine !contains " /ST "
and InitiatingProcessCommandLine !contains " /SD "
and InitiatingProcessIntegrityLevel !in ("", "High", "System")

Data Sources

DeviceFileEvents

Platforms

windows

Tags

privilege-escalation
Raw Content
# Detect CVE-2019-1069 (BearLPE) exploit

This query was originally published in the threat analytics report, **May 2019 0-day disclosures**.

In May and June of 2019, a security researcher with the online alias, SandboxEscaper, [discovered and published](https://threatpost.com/sandboxescaper-more-exploits-ie-zero-day/145010/) several elevation-of-privilege vulnerabilities on Github. The researcher included proofs-of-concept demonstrating how to exploit these vulnerabilities.

Patches and more information about each vulnerability are available below:

1. [CVE-2019-0863 | Windows Error Reporting Elevation of Privilege Vulnerability](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0863)
1. [CVE-2019-1069 | Task Scheduler Elevation of Privilege Vulnerability](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1069)
1. [CVE-2019-1053 | Windows Shell Elevation of Privilege Vulnerability](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1053)
1. [CVE-2019-1064 | Windows Elevation of Privilege Vulnerability](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1064)
1. [CVE-2019-0973 | Windows Installer Elevation of Privilege Vulnerability](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0973)
1. [CVE-2019-1129 | Windows Elevation of Privilege Vulnerability](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1129)

This query locates possible activity that exploits CVE-2019-1069 (also known as BearLPE), the second vulnerability listed above.

## Query

```Kusto
//Find possible use of BearLPE (Task Scheduler exploit)
DeviceFileEvents
| where FileName =~ "schtasks.exe"
| where InitiatingProcessCommandLine contains "/change"
and InitiatingProcessCommandLine contains " /TN "
and InitiatingProcessCommandLine contains " /RU "
and InitiatingProcessCommandLine contains " /RP "
and InitiatingProcessCommandLine !contains " /S "
and InitiatingProcessCommandLine !contains " /ST "
and InitiatingProcessCommandLine !contains " /SD "
and InitiatingProcessIntegrityLevel !in ("", "High", "System")
```

## Category

This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.

| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access |  |  |
| Execution |  |  |
| Persistence |  |  |
| Privilege escalation | v |  |
| Defense evasion |  |  |
| Credential Access |  |  |
| Discovery |  |  |
| Lateral movement |  |  |
| Collection |  |  |
| Command and control |  |  |
| Exfiltration |  |  |
| Impact |  |  |
| Vulnerability |  |  |
| Misconfiguration |  |  |
| Malware, component |  |  |

## Contributor info

**Contributor:** Microsoft Threat Protection team