Privilege Escalation via CVE-2024-35250

rules-emerging-threats/2024/Exploits/CVE-2024-35250/privilege_escalation_via_cve_2024_35250.yml

@@ -0,0 +1,38 @@
+title: Privilege Escalation via CVE-2024-35250
+id: 17ce9373e-2163-4a2c-90ba-f91e9ef7a8c1
+status: experimental
+description: Detects when cmd.exe with system privileges is executed after a process loads 'ksproxy.ax' and 'ksuser.dll', indicating potential exploitation of CVE-2024-35250.
+references:
+    - https://thehackernews.com/2024/12/cisa-and-fbi-raise-alerts-on-exploited.html
+    - https://github.com/varwara/CVE-2024-35250
+    - https://devco.re/blog/2024/08/23/streaming-vulnerabilities-from-windows-kernel-proxying-to-kernel-part1-en/
+    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
+author: '@eyezuhk Isaac Fernandes '
+date: 2024-12-19
+tags:
+    - attack.t1068
+    - attack.exploitation_for_privilege_escalation
+    - cve.2024.35250
+logsource:
+    product: windows
+    service: sysmon
+    category: process
+    definition: 'Sysmon event logs capturing process image loads and registry modifications'
+    eventid:
+      - 7 # Image Loaded
+      - 13 # Registry event
+detection:
+    selection_imgload:
+        EventID: 7
+        ImageLoaded|endswith:
+          - "ksproxy.ax"
+          - "ksuser.dll"
+        User: not "NT AUTHORITY\\SYSTEM"
+    selection_registry:
+        EventID: 13
+        TargetObject|contains: "HKLM\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-5-18\\Device\\HarddiskVolume*\\Windows\\System32\\cmd.exe"
+        User: "NT AUTHORITY\\SYSTEM"
+    condition: selection_imgload and selection_registry
+falsepositives:
+    - Legitimate system processes that load ksproxy.ax and ksuser.dll may trigger this rule.
+level: high