-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Privilege Escalation via CVE-2024-35250 #5136
base: master
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Welcome @Eyezuhk 👋
It looks like this is your first pull request on the Sigma rules repository!
Please make sure to read the SigmaHQ conventions document to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval.
Thanks again, and welcome to the Sigma community! 😃
Hi @Eyezuhk and welcome. Looking at your PR I highly suggest you read the sigma specs and the SigmaHQ conventions to understand the sigma rule syntax. As you rule does not conform to any of that in terms of logsource and such. Also a sigma rule in its basic form is meant to match on a single event hence you can't combine 2 events in the same rule. Thats reserved for correlation rules, which are not yet accepted in this repo. I highly suggest you take a look at other rules in the repo and copy one that is similar and use it as a basis. Now regarding your logic since you cannot contribute one leveraging correlation, I suggest that you perhaps look at
Hope this helps, |
Thank you very much for the feedback. I really didn't know that correlation between events was not supported. During my observations, the best way I found was to correlate the same process calling ksproxy.ax and ksuser.dll, which is not common even in large production environments where I researched this, and may even disregard the registry change. After Christmas I will check if it is possible to create a rule with few false positives from a single event, perhaps looking at winlogon.exe as you mentioned or ntoskrnl.exe... If I find something, I will update here. Thanks again for your time and attention. |
Just regarding correlation. It is supported but we aren't accepting rules of correlation type at the moment in this repo due to maintenance costs and other things. In the specifications repo you can read more on how such rules can be written. Happy holidays to you |
Hello @nasbench , I simplified it to
In a universe of 300k+ active Windows hosts, querying over a 7-day window, 2k hosts loaded the ksproxy.ax module. By ignoring the process in the directories ProgramFiles, WindowsSystem32, and AppData\Local\Microsoft\Teams\current\Teams.exe, we reduced the detections to 68. We can ignore:
I made some changes to the name, to follow the standards, I believe it is ok now. Although I used sysmon to create the rule, the hosts where I searched for the query were crowdstrike. I tried to do the conversion via https://uncoder.io/, but it doesn't convert correctly, the event name should be ClassifiedModuleLoad I found this project interesting, I didn't get to test it, but I'll leave it here, in case it helps anyone. |
Summary of the Pull Request
Adds a new Sigma rule to detect Privilege Escalation via CVE-2024-35250. This rule identifies potential exploitation by monitoring for specific image loads (
ksproxy.ax
,ksuser.dll
) and a related registry modification triggered by the execution ofcmd.exe
withNT AUTHORITY\SYSTEM
privileges.Changelog
Example Log Event
Event 7
Image loaded:
RuleName: -
UtcTime: 2024-12-19 23:56:09.689
ProcessGuid: {cc3062fa-b299-6764-cd01-000000000500}
ProcessId: 4220
Image: C:\Users\eyezuhk\Desktop\CVE-2024-35250.exe
ImageLoaded: C:\Windows\System32\ksproxy.ax
FileVersion: 10.0.22621.1 (WinBuild.160101.0800)
Description: WDM Streaming ActiveMovie Proxy
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: ksproxy.ax
Hashes: SHA1=46B1CC076C1AE967416E9EA18E5B95A48493B029,MD5=EC540CDBEBC7584F562944CD28C115FB,SHA256=598A3C648DE2B983CFDB2AC599B1254D77FEC868282083E03D65FDCF24847719,IMPHASH=BC80C0BAA52122435D413CD1EAC2C285
Signed: true
Signature: Microsoft Windows
SignatureStatus: Valid
User: ISAACFN\eyezuhk
Image loaded:
RuleName: -
UtcTime: 2024-12-19 23:56:09.718
ProcessGuid: {cc3062fa-b299-6764-cd01-000000000500}
ProcessId: 4220
Image: C:\Users\eyezuhk\Desktop\CVE-2024-35250.exe
ImageLoaded: C:\Windows\System32\ksuser.dll
FileVersion: 10.0.22621.1 (WinBuild.160101.0800)
Description: User CSA Library
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: ksuser.dll
Hashes: SHA1=EF8A8E9BB22E736095904876A8F1BB776BB72063,MD5=46B06DAB488A1E7339898EC4A9AC66C8,SHA256=3F28C73A70527247E64479197C93EF6732EEF6021860037163C7C479AD3CF2FB,IMPHASH=B1B9119A4C6D367DD41A0820244C09EB
Signed: true
Signature: Microsoft Windows
SignatureStatus: Valid
User: ISAACFN\eyezuhk
Event 13
Registry value set:
RuleName: -
EventType: SetValue
UtcTime: 2024-12-19 23:56:09.808
ProcessGuid: {cc3062fa-b299-6764-cd01-000000000500}
ProcessId: 4220
Image: C:\Users\eyezuhk\Desktop\CVE-2024-35250.exe
TargetObject: HKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-18\Device\HarddiskVolume4\Windows\System32\cmd.exe
Details: Binary Data
User: NT AUTHORITY\SYSTEM
Fixed Issues
SigmaHQ Rule Creation Conventions