KQL Search

Query Details

HomeAI ToolsDevice Query

CVE 2024 35250

Query

# Rule : Potential CVE-2024-35250 Exploitation Activity

## Description
Detects potentially suspicious loading of "ksproxy.ax", which may indicate an attempt to exploit CVE-2024-35250.
This detection rule identifies potential exploitation attempts of (CVE-2024-35250) that could allow attackers to achieve privilege escalation. By abusing the image load mechanism, threat actors may attempt to load a malicious module in place of a legitimate one, bypassing security controls and escalating privileges on the target system.

- [Detection.fyi: Image Load Exploit CVE-2024-35250 Privilege Escalation](https://detection.fyi/sigmahq/sigma/emerging-threats/2024/exploits/cve-2024-35250/image_load_exploit_cve_2024_35250_privilege_escalation/)

## Detection Logic
- Monitors `DeviceImageLoadEvents`  events for ksproxy.ax being loaded by a suspicious process

## Tags
- Privilege Escalation
- Image Load Exploit
- CVE-2024-35250
- Exploitation
- Windows Security
- Suspicious Activity

## Search Query
```kql
DeviceImageLoadEvents
| where FileName endswith @"ksproxy.ax"
```


- **Exclusions:**
  you might need to excluded the following in your enviroment
  - Exclude events where the `FilenName` field starts with any of the following trusted system paths:
    - `C:\Program Files\`
    - `C:\Program Files (x86)\`
    - `C:\Windows\System32\`
    - `C:\Windows\SysWOW64\`
  - Exclude events where the `Image` field ends with any of the following known legitimate applications:
    - `\AppData\Local\Microsoft\Teams\current\Teams.exe`
    - `\AppData\Roaming\Zoom\bin\Zoom.exe`
    - `\AppData\Local\Mozilla Firefox\firefox.exe`
    - `\AppData\Local\Google\Chrome\Application\chrome.exe`
    - `\AppData\Local\Programs\Opera\opera.exe`

Explanation

This query is designed to detect potentially suspicious activity on a Windows system that might indicate an attempt to exploit a specific security vulnerability, CVE-2024-35250. This vulnerability could allow attackers to escalate their privileges on a system by loading a malicious module instead of a legitimate one.

Here's a simple breakdown of what the query does:

  1. Monitors for Suspicious Activity: It looks for events where the file "ksproxy.ax" is loaded. This file is typically associated with legitimate processes, but its loading by an unusual or suspicious process might indicate an exploitation attempt.

  2. Focus on Specific Events: The query specifically checks DeviceImageLoadEvents, which are events generated when an image (like a DLL or executable) is loaded into a process.

  3. Exclusions for Legitimate Activity: To reduce false positives, the query excludes events where:

    • The file is loaded from trusted system directories like "C:\Program Files" or "C:\Windows\System32".
    • The image is loaded by known legitimate applications such as Microsoft Teams, Zoom, Firefox, Chrome, or Opera.

In summary, this query helps identify potentially malicious activity related to the CVE-2024-35250 vulnerability by monitoring for unusual loading of the "ksproxy.ax" file, while filtering out known legitimate cases to avoid false alarms.

Details

Ali Hussein profile picture

Ali Hussein

Released: February 25, 2025

Tables

DeviceImageLoadEvents

Keywords

DeviceImageFileNameApplicationSystemPaths

Operators

DeviceImageLoadEventswhereendswith

Actions