EXPLORE
Sign In
← Back to Explore
kqlHunting

Detect CVE-2019-1053 (SandboxEscape) exploit

This query was originally published in the threat analytics report, **May 2019 0-day disclosures**.

Detection Query

//Find possible use of SandboxEscape (Internet Explorer 11 exploit)
DeviceFileEvents 
| where FolderPath contains @".{0afaced1-e828-11d1-9187-b532f1e9575d}\"
and FileName endswith ".lnk"

Data Sources

DeviceFileEvents

Platforms

windows

Tags

privilege-escalation
Raw Content
# Detect CVE-2019-1053 (SandboxEscape) exploit

This query was originally published in the threat analytics report, **May 2019 0-day disclosures**.

In May and June of 2019, a security researcher with the online alias, SandboxEscaper, [discovered and published](https://threatpost.com/sandboxescaper-more-exploits-ie-zero-day/145010/) several elevation-of-privilege vulnerabilities on Github. The researcher included proofs-of-concept demonstrating how to exploit these vulnerabilities.

Patches and more information about each vulnerability are available below:

1. [CVE-2019-0863 | Windows Error Reporting Elevation of Privilege Vulnerability](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0863)
1. [CVE-2019-1069 | Task Scheduler Elevation of Privilege Vulnerability](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1069)
1. [CVE-2019-1053 | Windows Shell Elevation of Privilege Vulnerability](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1053)
1. [CVE-2019-1064 | Windows Elevation of Privilege Vulnerability](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1064)
1. [CVE-2019-0973 | Windows Installer Elevation of Privilege Vulnerability](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0973)
1. [CVE-2019-1129 | Windows Elevation of Privilege Vulnerability](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1129)

This query locates possible activity that exploits CVE-2019-1053 (also known as SandboxEscape), the third vulnerability listed above.

## Query

```Kusto
//Find possible use of SandboxEscape (Internet Explorer 11 exploit)
DeviceFileEvents 
| where FolderPath contains @".{0afaced1-e828-11d1-9187-b532f1e9575d}\"
and FileName endswith ".lnk"
```

## Category

This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.

| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access |  |  |
| Execution |  |  |
| Persistence |  |  |
| Privilege escalation | v |  |
| Defense evasion |  |  |
| Credential Access |  |  |
| Discovery |  |  |
| Lateral movement |  |  |
| Collection |  |  |
| Command and control |  |  |
| Exfiltration |  |  |
| Impact |  |  |
| Vulnerability |  |  |
| Misconfiguration |  |  |
| Malware, component |  |  |

## Contributor info

**Contributor:** Microsoft Threat Protection team