KQL Search

Query Details

HomeAI ToolsDevice Query

Active Directory Domain Services Elevation Of Privilege Vulnerability CVE 2025 21293

Query

// Active Directory Domain Services Elevation of Privilege Vulnerability (CVE-2025-21293) CVSS 8.8

// https://birkep.github.io/posts/Windows-LPE/

let WindowsServer =
DeviceInfo
| where DeviceType == "Server" and OSPlatform has "windows"
| distinct DeviceName;
let DLLLoaded =
DeviceEvents
| where Timestamp > ago(3h)
| where DeviceName has_any (WindowsServer)
| where ActionType == @"DriverLoad"
| where FileName endswith ".dll"
| distinct FileName;
DeviceRegistryEvents
| where ActionType == @"RegistryKeyCreated" or ActionType == @"RegistryValueSet"
| where RegistryValueName has_any(DLLLoaded) or RegistryValueData has_any(DLLLoaded)

Explanation

This KQL (Kusto Query Language) query is designed to detect potential security vulnerabilities related to the Active Directory Domain Services Elevation of Privilege Vulnerability (CVE-2025-21293) on Windows servers. Here's a simplified breakdown of what the query does:

  1. Identify Windows Servers:

    • The query first identifies devices that are classified as "Servers" and run on the Windows operating system. It creates a list of distinct server device names.

  2. Track DLL Files Loaded:

    • It then looks at device events from the last 3 hours to find instances where a driver (specifically a DLL file) was loaded on any of the identified Windows servers. It compiles a list of distinct DLL file names that were loaded.

  3. Monitor Registry Changes:

    • Finally, the query examines registry events to find any registry keys created or registry values set that involve the DLL files identified in the previous step. It checks if the registry value name or data contains any of the loaded DLL file names.

In summary, this query is used to monitor for suspicious DLL file loads on Windows servers and any related registry changes, which could indicate an exploitation attempt of the specified vulnerability.

Details

Steven Lim profile picture

Steven Lim

Released: February 2, 2025

Tables

DeviceInfoDeviceEventsDeviceRegistryEvents

Keywords

DeviceInfoDeviceEventsDeviceRegistryEventsDeviceTypeOSPlatformDeviceNameTimestampActionTypeFileNameRegistryValueNameRegistryValueData

Operators

let|whereandhasdistinct>agohas_any==endswithor

Actions