SandboxEscaper Readfile Vulnerability + Detection via Splunk

Demo of the SandboxEscaper readfile vuln. I used a VM in Virtualbox running a super out-of-date Win10 install, 4 vCPUs, and 2GB RAM. I also installed Splunk Enterprise utilizing the free license. Lastly, I disabled the NIC prior to running the binary just in case ;) Readfile 0day description (original blog post has been taken down): https://www.bleepingcomputer.com/news/security/windows-zero-day-poc-lets-you-read-any-file-with-system-level-access/ Readfile.rar repo: https://github.com/SandboxEscaper/randomrepo/blob/master/Readfile.rar Configure Splunk to grab local logs (Use Splunk Web to configure event log monitoring): https://docs.splunk.com/Documentation/Splunk/7.2.3/Data/MonitorWindowseventlogdata I-SECURE blog on detection: https://www.i-secure.co.th/2018/12/detecting-use-sandboxescapers-msiadvertiseproduct-0-day-poc/