Rule : Potential CVE-2024-35250 Exploitation Activity
CVE 2024 35250
Query
DeviceImageLoadEvents
| where FileName endswith @"ksproxy.ax"About this query
Explanation
This query is designed to detect potentially suspicious activity on a Windows system that might indicate an attempt to exploit a specific security vulnerability, CVE-2024-35250. This vulnerability could allow attackers to escalate their privileges on a system by loading a malicious module instead of a legitimate one.
Here's a simple breakdown of what the query does:
-
Monitors for Suspicious Activity: It looks for events where the file "ksproxy.ax" is loaded. This file is typically associated with legitimate processes, but its loading by an unusual or suspicious process might indicate an exploitation attempt.
-
Focus on Specific Events: The query specifically checks
DeviceImageLoadEvents, which are events generated when an image (like a DLL or executable) is loaded into a process. -
Exclusions for Legitimate Activity: To reduce false positives, the query excludes events where:
- The file is loaded from trusted system directories like "C:\Program Files" or "C:\Windows\System32".
- The image is loaded by known legitimate applications such as Microsoft Teams, Zoom, Firefox, Chrome, or Opera.
In summary, this query helps identify potentially malicious activity related to the CVE-2024-35250 vulnerability by monitoring for unusual loading of the "ksproxy.ax" file, while filtering out known legitimate cases to avoid false alarms.
Details

Ali Hussein
Released: February 25, 2025
Tables
Keywords
Operators