Query Details

Rule : Potential CVE-2024-35250 Exploitation Activity

CVE 2024 35250

Query

DeviceImageLoadEvents
| where FileName endswith @"ksproxy.ax"

About this query

Explanation

This query is designed to detect potentially suspicious activity on a Windows system that might indicate an attempt to exploit a specific security vulnerability, CVE-2024-35250. This vulnerability could allow attackers to escalate their privileges on a system by loading a malicious module instead of a legitimate one.

Here's a simple breakdown of what the query does:

  1. Monitors for Suspicious Activity: It looks for events where the file "ksproxy.ax" is loaded. This file is typically associated with legitimate processes, but its loading by an unusual or suspicious process might indicate an exploitation attempt.

  2. Focus on Specific Events: The query specifically checks DeviceImageLoadEvents, which are events generated when an image (like a DLL or executable) is loaded into a process.

  3. Exclusions for Legitimate Activity: To reduce false positives, the query excludes events where:

    • The file is loaded from trusted system directories like "C:\Program Files" or "C:\Windows\System32".
    • The image is loaded by known legitimate applications such as Microsoft Teams, Zoom, Firefox, Chrome, or Opera.

In summary, this query helps identify potentially malicious activity related to the CVE-2024-35250 vulnerability by monitoring for unusual loading of the "ksproxy.ax" file, while filtering out known legitimate cases to avoid false alarms.

Details

Ali Hussein profile picture

Ali Hussein

Released: February 25, 2025

Tables

DeviceImageLoadEvents

Keywords

DeviceImageFileNameApplicationSystemPaths

Operators

DeviceImageLoadEventswhereendswith

Actions

GitHub