Think you have a false positive on this rule?

Sid 1-51016

Message

OS-WINDOWS Microsoft Windows PsmSrvDisconnect privilege escalation attempt

Summary

This event is generated when an executable attempting to exploit CVE-2019-1175 is detected.

Impact

Code execution with elevated privileges

Detailed information

Affected systems

  • Windows 10 v1809 (build 17763.475) and earlier.

Ease of attack

Medium

False positives

None known

False negatives

None known

Corrective action

Isolate the affected system and remediate it in accordance with your organization's incident response policies. Afterward, apply the latest stable security updates to your Windows installation.

Contributors

  • Cisco Talos Intelligence Group

Additional References

  • CVE-2019-1175
  • portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1175