EXPLORE
Sign In
← Back to Explore
kqlHunting

Task creation associated with privilege escalation vulnerability, CVE-2019-0808

This query was originally published in the threat analytics report, *Windows 7 zero-day for CVE-2019-0808*

Detection Query

//Scheduled task creation 
DeviceProcessEvents 
| where Timestamp  > ago(14d) 
| where FileName =~ "schtasks.exe"  
| where ProcessCommandLine  contains "highest" and 
(ProcessCommandLine contains "ecosetup" or 
ProcessCommandLine contains "spsextserv.exe")

Data Sources

DeviceProcessEvents

Platforms

windows

Tags

privilege-escalationbehavior
Raw Content
# Task creation associated with privilege escalation vulnerability, CVE-2019-0808

This query was originally published in the threat analytics report, *Windows 7 zero-day for CVE-2019-0808*

[CVE-2019-0808](https://nvd.nist.gov/vuln/detail/CVE-2019-0808) is a vulnerability that allows an attacker to escape the Windows security sandbox and run arbitrary code with admin privileges. This vulnerability affects Windows 7, Windows Server 2008, and Windows Server 2008 R2.

Exploits for CVE-2019-0808 were first observed as part of highly selective attacks using the *[Nufsys](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/Nufsys.A&threatId=-2147233438)* backdoor. Although the Nufsys-associated exploit was first described as a zero-day, the issue has since been [patched](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0808).

The following query detects possible CVE-2019-0808 exploitation by reporting scheduled task creation events associated with the Nufsys attacks.

## Query

```Kusto
//Scheduled task creation 
DeviceProcessEvents 
| where Timestamp  > ago(14d) 
| where FileName =~ "schtasks.exe"  
| where ProcessCommandLine  contains "highest" and 
(ProcessCommandLine contains "ecosetup" or 
ProcessCommandLine contains "spsextserv.exe")
```

## Category

This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.

| Technique, tactic, or state | Covered? (v=yes) | Notes |
|-|-|-|
| Initial access |  |  |
| Execution |  |  |
| Persistence | v |  |
| Privilege escalation | v |  |
| Defense evasion |  |  |
| Credential Access |  |  |
| Discovery |  |  |
| Lateral movement |  |  |
| Collection |  |  |
| Command and control |  |  |
| Exfiltration |  |  |
| Impact |  |  |
| Vulnerability | v |  |
| Misconfiguration |  |  |
| Malware, component |  |  |

## See also

* [Backdoor associated with privilege escalation vulnerability, CVE-2019-0808](cve-2019-0808-nufsys-file-creation.md)
* [Command and control associated with privilege escalation vulnerability, CVE-2019-0808](cve-2019-0808-c2.md)

## Contributor info

**Contributor:** Microsoft Threat Protection team