KQL Search

Query Details

HomeAI ToolsDevice Query

CVE 2024 43452 Po C Detection

Query

// CVE-2024-43452 PoC Detection

// As the year begins, we've encountered a second significant Windows exploit. A Proof of Concept (PoC) has been released for CVE-2024-43452, a Windows Registry Elevation of Privilege vulnerability (CVSS 7.5) affecting Windows 11 23H2. This PoC, created by Mateusz Jurczyk from Google Project Zero, was inspired by Gabriel Landau’s research on registry vulnerabilities. (Link available in the comments)
// CVE-2024-43452 PoC: https://project-zero.issues.chromium.org/issues/42451731
//Fellow defenders, I have developed an advanced hunting DefenderXDR KQL to detect the use of this PoC with high accuracy. Deploy it wisely to prevent abuse by red teams and threat actors.

let VulnerableEndpoint =
DeviceTvmSoftwareVulnerabilities 
| where CveId == "CVE-2024-43452"
| distinct DeviceName;
let ExeWithLP =
DeviceFileEvents
| where ActionType == @"FileCreated"
| where FileName endswith ".exe"
| invoke FileProfile(SHA1,1000)
| where GlobalPrevalence <= 50
| join kind=leftouter DeviceFileCertificateInfo on SHA1
| where SignatureState == @"Unsigned"
| distinct FileName; // An unsual low prevalence unsigned .exe created
let EPwithCMDRun =
DeviceEvents 
| where InitiatingProcessCommandLine has ".exe" and InitiatingProcessCommandLine has ".dat"
| where FileName has_any(ExeWithLP)
| distinct DeviceName; // Command line execution with low prevalence exe and .dat file
DeviceNetworkEvents
| where RemotePort == "445"
| where ActionType == "ConnectionSuccess"
| where DeviceName has_any (EPwithCMDRun) // Successful outbound SMB connection
| where DeviceName has_any (VulnerableEndpoint) // Not Patch - Vulnerable


// MITRE ATT&CK

Explanation

This query is designed to detect potential exploitation of a specific Windows vulnerability, CVE-2024-43452, which allows for privilege escalation through the Windows Registry. The query uses Microsoft's Kusto Query Language (KQL) to identify suspicious activities related to this vulnerability on Windows 11 23H2 systems. Here's a breakdown of what the query does:

  1. Identify Vulnerable Devices: It first identifies devices that have the CVE-2024-43452 vulnerability by checking the DeviceTvmSoftwareVulnerabilities table for entries with the specific CVE ID.

  2. Detect Unusual Executable Files: It looks for newly created executable files (.exe) with low global prevalence (less common files) that are unsigned, indicating they might be suspicious or malicious. This is done by examining the DeviceFileEvents table and filtering based on file prevalence and signature status.

  3. Monitor Command Line Activity: It checks for command line executions that involve these unusual executables and .dat files, which might indicate an attempt to exploit the vulnerability. This is done by analyzing the DeviceEvents table.

  4. Track Network Connections: Finally, it monitors for successful outbound SMB connections (port 445) from devices that have executed these suspicious files and are identified as vulnerable. This is done using the DeviceNetworkEvents table.

The query aims to provide defenders with a high-accuracy method to detect and prevent potential exploitation of this vulnerability by red teams or threat actors. It leverages the MITRE ATT&CK framework for understanding the tactics and techniques used in such attacks.

Details

Steven Lim profile picture

Steven Lim

Released: January 7, 2025

Tables

DeviceTvmSoftwareVulnerabilitiesDeviceFileEventsDeviceFileCertificateInfoDeviceEventsDeviceNetworkEvents

Keywords

DevicesWindowsVulnerabilitiesExploitRegistryPrivilegeElevationPoCDefenderXDRFileCertificateNetworkConnectionSMBPatchMITREATT&CK

Operators

let|where==distinctendswithinvokejoin kind=leftouteron<=hashas_any

Actions