Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Privilege Escalation via CVE-2024-35250 #5136

Open
wants to merge 4 commits into
base: master
Choose a base branch
from

Conversation

Eyezuhk
Copy link

@Eyezuhk Eyezuhk commented Dec 20, 2024

Summary of the Pull Request

Adds a new Sigma rule to detect Privilege Escalation via CVE-2024-35250. This rule identifies potential exploitation by monitoring for specific image loads (ksproxy.ax, ksuser.dll) and a related registry modification triggered by the execution of cmd.exe with NT AUTHORITY\SYSTEM privileges.

Changelog

Example Log Event

Event 7

Image loaded:
RuleName: -
UtcTime: 2024-12-19 23:56:09.689
ProcessGuid: {cc3062fa-b299-6764-cd01-000000000500}
ProcessId: 4220
Image: C:\Users\eyezuhk\Desktop\CVE-2024-35250.exe
ImageLoaded: C:\Windows\System32\ksproxy.ax
FileVersion: 10.0.22621.1 (WinBuild.160101.0800)
Description: WDM Streaming ActiveMovie Proxy
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: ksproxy.ax
Hashes: SHA1=46B1CC076C1AE967416E9EA18E5B95A48493B029,MD5=EC540CDBEBC7584F562944CD28C115FB,SHA256=598A3C648DE2B983CFDB2AC599B1254D77FEC868282083E03D65FDCF24847719,IMPHASH=BC80C0BAA52122435D413CD1EAC2C285
Signed: true
Signature: Microsoft Windows
SignatureStatus: Valid
User: ISAACFN\eyezuhk

Image loaded:
RuleName: -
UtcTime: 2024-12-19 23:56:09.718
ProcessGuid: {cc3062fa-b299-6764-cd01-000000000500}
ProcessId: 4220
Image: C:\Users\eyezuhk\Desktop\CVE-2024-35250.exe
ImageLoaded: C:\Windows\System32\ksuser.dll
FileVersion: 10.0.22621.1 (WinBuild.160101.0800)
Description: User CSA Library
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: ksuser.dll
Hashes: SHA1=EF8A8E9BB22E736095904876A8F1BB776BB72063,MD5=46B06DAB488A1E7339898EC4A9AC66C8,SHA256=3F28C73A70527247E64479197C93EF6732EEF6021860037163C7C479AD3CF2FB,IMPHASH=B1B9119A4C6D367DD41A0820244C09EB
Signed: true
Signature: Microsoft Windows
SignatureStatus: Valid
User: ISAACFN\eyezuhk

Event 13

Registry value set:
RuleName: -
EventType: SetValue
UtcTime: 2024-12-19 23:56:09.808
ProcessGuid: {cc3062fa-b299-6764-cd01-000000000500}
ProcessId: 4220
Image: C:\Users\eyezuhk\Desktop\CVE-2024-35250.exe
TargetObject: HKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-18\Device\HarddiskVolume4\Windows\System32\cmd.exe
Details: Binary Data
User: NT AUTHORITY\SYSTEM

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

Copy link
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Welcome @Eyezuhk 👋

It looks like this is your first pull request on the Sigma rules repository!

Please make sure to read the SigmaHQ conventions document to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval.

Thanks again, and welcome to the Sigma community! 😃

@nasbench
Copy link
Member

Hi @Eyezuhk and welcome.

Looking at your PR I highly suggest you read the sigma specs and the SigmaHQ conventions to understand the sigma rule syntax. As you rule does not conform to any of that in terms of logsource and such.

Also a sigma rule in its basic form is meant to match on a single event hence you can't combine 2 events in the same rule. Thats reserved for correlation rules, which are not yet accepted in this repo.

I highly suggest you take a look at other rules in the repo and copy one that is similar and use it as a basis.

Now regarding your logic since you cannot contribute one leveraging correlation, I suggest that you perhaps look at

  • process access event logs since the POC request access to winlogon which is not common from untrusted processes,
  • check if the loading of those 2 dlls is common or at least write a rule that checks loading them from uncommon locations,

Hope this helps,

@nasbench nasbench added Work In Progress Some changes are needed Author Input Required changes the require information from original author of the rules labels Dec 24, 2024
@Eyezuhk
Copy link
Author

Eyezuhk commented Dec 24, 2024

Thank you very much for the feedback.

I really didn't know that correlation between events was not supported.

During my observations, the best way I found was to correlate the same process calling ksproxy.ax and ksuser.dll, which is not common even in large production environments where I researched this, and may even disregard the registry change.

After Christmas I will check if it is possible to create a rule with few false positives from a single event, perhaps looking at winlogon.exe as you mentioned or ntoskrnl.exe...

If I find something, I will update here.

Thanks again for your time and attention.

@nasbench
Copy link
Member

Thank you very much for the feedback.

I really didn't know that correlation between events was not supported.

During my observations, the best way I found was to correlate the same process calling ksproxy.ax and ksuser.dll, which is not common even in large production environments where I researched this, and may even disregard the registry change.

After Christmas I will check if it is possible to create a rule with few false positives from a single event, perhaps looking at winlogon.exe as you mentioned or ntoskrnl.exe...

If I find something, I will update here.

Thanks again for your time and attention.

Just regarding correlation. It is supported but we aren't accepting rules of correlation type at the moment in this repo due to maintenance costs and other things.

In the specifications repo you can read more on how such rules can be written.

Happy holidays to you

@Eyezuhk Eyezuhk marked this pull request as draft January 9, 2025 16:36
@Eyezuhk
Copy link
Author

Eyezuhk commented Jan 9, 2025

Hello @nasbench , I simplified it to

logsource:
    category: image_load
    product: windows
detection:
    selection:
         ImageLoaded|endswith:
            - '\ksproxy.ax'
    filter_system_paths:
        Image|startswith:
            - 'C:\Program Files'
            - 'C:\Windows\System32'
            - 'C:\Windows\SysWOW64'
    filter_legitimate_apps:
        Image|endswith:
            - '\AppData\Local\Microsoft\Teams\current\Teams.exe'
    condition: selection and not 1 of filter_*

In a universe of 300k+ active Windows hosts, querying over a 7-day window, 2k hosts loaded the ksproxy.ax module.

By ignoring the process in the directories ProgramFiles, WindowsSystem32, and AppData\Local\Microsoft\Teams\current\Teams.exe, we reduced the detections to 68.

We can ignore:

Windows\SysWOW64\dxdiag.exe
AppData\Roaming\Zoom\bin\Zoom.exe
AppData\Local\Mozilla Firefox\firefox.exe
AppData\Local\Google\Chrome\Application\chrome.exe
AppData\Local\Programs\Opera\opera.exe
Discord.exe
obs64.exe

I made some changes to the name, to follow the standards, I believe it is ok now.

Although I used sysmon to create the rule, the hosts where I searched for the query were crowdstrike.

I tried to do the conversion via https://uncoder.io/, but it doesn't convert correctly, the event name should be ClassifiedModuleLoad

I found this project interesting, I didn't get to test it, but I'll leave it here, in case it helps anyone.
https://github.com/SigmaHQ/pySigma-backend-crowdstrike

@Eyezuhk Eyezuhk marked this pull request as ready for review January 9, 2025 18:51
@nasbench nasbench added Work In Progress Some changes are needed and removed Work In Progress Some changes are needed Author Input Required changes the require information from original author of the rules labels Jan 19, 2025
@nasbench nasbench self-requested a review January 19, 2025 21:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants