EXPLORE
Sign In
← Back to Explore
kqlHunting

Command and control associated with privilege escalation vulnerability, CVE-2019-0808

This query was originally published in the threat analytics report, *Windows 7 zero-day for CVE-2019-0808*

Detection Query

//Network Communication to C&C 
DeviceNetworkEvents 
| where Timestamp > ago(14d) 
| where RemoteUrl  in("luckluck.blog", "fffun-video.biz") //Dest Address DNS 
or RemoteIP  == "63.141.233.82" //Destination Address

Data Sources

DeviceNetworkEvents

Platforms

windows

Tags

privilege-escalationbehavior
Raw Content
# Command and control associated with privilege escalation vulnerability, CVE-2019-0808

This query was originally published in the threat analytics report, *Windows 7 zero-day for CVE-2019-0808*

[CVE-2019-0808](https://nvd.nist.gov/vuln/detail/CVE-2019-0808) is a vulnerability that allows an attacker to escape the Windows security sandbox and run arbitrary code with admin privileges. This vulnerability affects Windows 7, Windows Server 2008, and Windows Server 2008 R2.

Exploits for CVE-2019-0808 were first observed as part of highly selective attacks using the *[Nufsys](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/Nufsys.A&threatId=-2147233438)* backdoor. Although the Nufsys-associated exploit was first described as a zero-day, the issue has since been [patched](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0808).

The following query detects possible CVE-2019-0808 exploitation by reporting network communication associated with the Nufsys attacks.

## Query

```Kusto
//Network Communication to C&C 
DeviceNetworkEvents 
| where Timestamp > ago(14d) 
| where RemoteUrl  in("luckluck.blog", "fffun-video.biz") //Dest Address DNS 
or RemoteIP  == "63.141.233.82" //Destination Address 
```

## Category

This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.

| Technique, tactic, or state | Covered? (v=yes) | Notes |
|-|-|-|
| Initial access |  |  |
| Execution |  |  |
| Persistence |  |  |
| Privilege escalation | v |  |
| Defense evasion |  |  |
| Credential Access |  |  |
| Discovery |  |  |
| Lateral movement |  |  |
| Collection |  |  |
| Command and control | v |  |
| Exfiltration |  |  |
| Impact |  |  |
| Vulnerability | v |  |
| Misconfiguration |  |  |
| Malware, component |  |  |

## See also

* [Backdoor associated with privilege escalation vulnerability, CVE-2019-0808](cve-2019-0808-nufsys-file-creation.md)
* [Task creation associated with privilege escalation vulnerability, CVE-2019-0808](cve-2019-0808-set-scheduled-task.md)

## Contributor info

**Contributor:** Microsoft Threat Protection team