Privilege Escalation via CVE-2024-35250

rules-emerging-threats/2024/Exploits/CVE-2024-35250/win_exploit_cve_2024_35250_privilege_escalation.yml

@@ -0,0 +1,38 @@
+title: CVE-2024-35250 Exploitation 
+id: 17ce9373-2163-4a2c-90ba-f91e9ef7a8c1
+status: experimental
+description: |
+    Detects suspicious loading of ksproxy.ax, which may indicate an attempt to exploit CVE-2024-35250.
+references:
+    - https://thehackernews.com/2024/12/cisa-and-fbi-raise-alerts-on-exploited.html
+    - https://github.com/varwara/CVE-2024-35250
+    - https://devco.re/blog/2024/08/23/streaming-vulnerabilities-from-windows-kernel-proxying-to-kernel-part1-en/
+    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
+author: '@eyezuhk Isaac Fernandes'
+date: 2024/12/19
+modified: 2025/01/09
+tags:
+    - attack.privilege_escalation
+    - attack.t1068
+    - cve.2024.35250
+logsource:
+    category: image_load
+    product: windows
+detection:
+    selection:
+         ImageLoaded|endswith:
+            - '\ksproxy.ax'
+    filter_system_paths:
+        Image|startswith:
+            - 'C:\Program Files'
+            - 'C:\Windows\System32'
+            - 'C:\Windows\SysWOW64'
+    filter_legitimate_apps:
+        Image|endswith:
+            - '\AppData\Local\Microsoft\Teams\current\Teams.exe'
+    condition: selection and not 1 of filter_*
+falsepositives:
+    - Legitimate applications that use Windows Stream Interface APIs
+    - Media applications that use DirectShow filters
+    - AppData\Roaming\Zoom\bin\Zoom.exe,AppData\Local\Mozilla Firefox\firefox.exe,AppData\Local\Google\Chrome\Application\chrome.exe,AppData\Local\Programs\Opera\opera.exe,Discord.exe,obs64.exe
+level: high