Privilege Escalation via CVE-2024-35250

[Eyezuhk]

Summary of the Pull Request

Adds a new Sigma rule to detect Privilege Escalation via CVE-2024-35250. This rule identifies potential exploitation by monitoring for specific image loads (ksproxy.ax, ksuser.dll) and a related registry modification triggered by the execution of cmd.exe with NT AUTHORITY\SYSTEM privileges.

Changelog

Example Log Event

Event 7

Image loaded:
RuleName: -
UtcTime: 2024-12-19 23:56:09.689
ProcessGuid: {cc3062fa-b299-6764-cd01-000000000500}
ProcessId: 4220
Image: C:\Users\eyezuhk\Desktop\CVE-2024-35250.exe
ImageLoaded: C:\Windows\System32\ksproxy.ax
FileVersion: 10.0.22621.1 (WinBuild.160101.0800)
Description: WDM Streaming ActiveMovie Proxy
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: ksproxy.ax
Hashes: SHA1=46B1CC076C1AE967416E9EA18E5B95A48493B029,MD5=EC540CDBEBC7584F562944CD28C115FB,SHA256=598A3C648DE2B983CFDB2AC599B1254D77FEC868282083E03D65FDCF24847719,IMPHASH=BC80C0BAA52122435D413CD1EAC2C285
Signed: true
Signature: Microsoft Windows
SignatureStatus: Valid
User: ISAACFN\eyezuhk

Image loaded:
RuleName: -
UtcTime: 2024-12-19 23:56:09.718
ProcessGuid: {cc3062fa-b299-6764-cd01-000000000500}
ProcessId: 4220
Image: C:\Users\eyezuhk\Desktop\CVE-2024-35250.exe
ImageLoaded: C:\Windows\System32\ksuser.dll
FileVersion: 10.0.22621.1 (WinBuild.160101.0800)
Description: User CSA Library
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: ksuser.dll
Hashes: SHA1=EF8A8E9BB22E736095904876A8F1BB776BB72063,MD5=46B06DAB488A1E7339898EC4A9AC66C8,SHA256=3F28C73A70527247E64479197C93EF6732EEF6021860037163C7C479AD3CF2FB,IMPHASH=B1B9119A4C6D367DD41A0820244C09EB
Signed: true
Signature: Microsoft Windows
SignatureStatus: Valid
User: ISAACFN\eyezuhk

Event 13

Registry value set:
RuleName: -
EventType: SetValue
UtcTime: 2024-12-19 23:56:09.808
ProcessGuid: {cc3062fa-b299-6764-cd01-000000000500}
ProcessId: 4220
Image: C:\Users\eyezuhk\Desktop\CVE-2024-35250.exe
TargetObject: HKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-18\Device\HarddiskVolume4\Windows\System32\cmd.exe
Details: Binary Data
User: NT AUTHORITY\SYSTEM

Fixed Issues

SigmaHQ Rule Creation Conventions

• If your PR adds new rules, please consider following and applying these conventions

[github-actions]

Welcome @Eyezuhk 👋

It looks like this is your first pull request on the Sigma rules repository!

Please make sure to read the SigmaHQ conventions document to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval.

Thanks again, and welcome to the Sigma community! 😃

[nasbench]

Hi @Eyezuhk and welcome.

Looking at your PR I highly suggest you read the sigma specs and the SigmaHQ conventions to understand the sigma rule syntax. As you rule does not conform to any of that in terms of logsource and such.

Also a sigma rule in its basic form is meant to match on a single event hence you can't combine 2 events in the same rule. Thats reserved for correlation rules, which are not yet accepted in this repo.

I highly suggest you take a look at other rules in the repo and copy one that is similar and use it as a basis.

Now regarding your logic since you cannot contribute one leveraging correlation, I suggest that you perhaps look at

• process access event logs since the POC request access to winlogon which is not common from untrusted processes,
• check if the loading of those 2 dlls is common or at least write a rule that checks loading them from uncommon locations,

Hope this helps,

[Eyezuhk]

Thank you very much for the feedback.

I really didn't know that correlation between events was not supported.

During my observations, the best way I found was to correlate the same process calling ksproxy.ax and ksuser.dll, which is not common even in large production environments where I researched this, and may even disregard the registry change.

After Christmas I will check if it is possible to create a rule with few false positives from a single event, perhaps looking at winlogon.exe as you mentioned or ntoskrnl.exe...

If I find something, I will update here.

Thanks again for your time and attention.

[nasbench]

Thank you very much for the feedback.

I really didn't know that correlation between events was not supported.

During my observations, the best way I found was to correlate the same process calling ksproxy.ax and ksuser.dll, which is not common even in large production environments where I researched this, and may even disregard the registry change.

After Christmas I will check if it is possible to create a rule with few false positives from a single event, perhaps looking at winlogon.exe as you mentioned or ntoskrnl.exe...

If I find something, I will update here.

Thanks again for your time and attention.

Just regarding correlation. It is supported but we aren't accepting rules of correlation type at the moment in this repo due to maintenance costs and other things.

In the specifications repo you can read more on how such rules can be written.

Happy holidays to you