EXPLORE
Sign In
← Back to Explore
kqlHunting

Detect CVE-2019-1129 (ByeBear) exploit

This query was originally published in the threat analytics report, **May 2019 0-day disclosures**.

Detection Query

//Find possible use of ByeBear (CVE-2019-1129)
DeviceProcessEvents 
| where ProcessCommandLine contains
@"packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe"
and ProcessCommandLine contains"/S /Q"
and (ProcessCommandLine contains "rmdir" or ProcessCommandLine contains "del")

Data Sources

DeviceProcessEvents

Platforms

windows

Tags

privilege-escalation
Raw Content
# Detect CVE-2019-1129 (ByeBear) exploit

This query was originally published in the threat analytics report, **May 2019 0-day disclosures**.

In May and June of 2019, a security researcher with the online alias, SandboxEscaper, [discovered and published](https://threatpost.com/sandboxescaper-more-exploits-ie-zero-day/145010/) several elevation-of-privilege vulnerabilities on Github. The researcher included proofs-of-concept demonstrating how to exploit these vulnerabilities.

Patches and more information about each vulnerability are available below:

1. [CVE-2019-0863 | Windows Error Reporting Elevation of Privilege Vulnerability](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0863)
1. [CVE-2019-1069 | Task Scheduler Elevation of Privilege Vulnerability](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1069)
1. [CVE-2019-1053 | Windows Shell Elevation of Privilege Vulnerability](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1053)
1. [CVE-2019-1064 | Windows Elevation of Privilege Vulnerability](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1064)
1. [CVE-2019-0973 | Windows Installer Elevation of Privilege Vulnerability](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0973)
1. [CVE-2019-1129 | Windows Elevation of Privilege Vulnerability](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1129)

This query locates possible activity that exploits CVE-2019-1129 (also known as ByeBear or CVE-2019-0841-Bypass 2), the sixth vulnerability listed above.

## Query

```Kusto
//Find possible use of ByeBear (CVE-2019-1129)
DeviceProcessEvents 
| where ProcessCommandLine contains
@"packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe"
and ProcessCommandLine contains"/S /Q"
and (ProcessCommandLine contains "rmdir" or ProcessCommandLine contains "del")
```

## Category

This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.

| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access |  |  |
| Execution |  |  |
| Persistence |  |  |
| Privilege escalation | v |  |
| Defense evasion |  |  |
| Credential Access |  |  |
| Discovery |  |  |
| Lateral movement |  |  |
| Collection |  |  |
| Command and control |  |  |
| Exfiltration |  |  |
| Impact |  |  |
| Vulnerability |  |  |
| Misconfiguration |  |  |
| Malware, component |  |  |

## Contributor info

**Contributor:** Microsoft Threat Protection team