Query Details
CVE 2024 49039 Windows Task Scheduler Elevation Of Privilege Vulnerability
Query
// Zero-Day 🪲 CVE-2024-49039 // https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49039 // A KQL query to detect an authenticated attacker who initially runs a low-privilege AppContainer, which is later elevated with privileges, referencing the Microsoft CVE-2024-49039 Windows Task Scheduler Elevation of Privilege Vulnerability. let VulnerableEndpoint = DeviceTvmSoftwareVulnerabilities | where CveId == "CVE-2024-49039" | distinct DeviceName; let VulnerableEPwithAppContainer = DeviceProcessEvents | where ProcessCommandLine contains "/appcontainer" | where DeviceName has_any(VulnerableEndpoint) | distinct DeviceName; DeviceProcessEvents | where DeviceName has_any(VulnerableEPwithAppContainer) | where ProcessTokenElevation == "TokenElevationTypeFull"
Explanation
This KQL query is designed to detect potential exploitation of a specific security vulnerability, CVE-2024-49039, which involves privilege escalation through the Windows Task Scheduler. Here's a simplified breakdown of what the query does:
-
Identify Vulnerable Devices:
- The query first identifies devices that have the specific vulnerability (CVE-2024-49039) by checking the
DeviceTvmSoftwareVulnerabilitiestable. It creates a list of device names that are affected.
- The query first identifies devices that have the specific vulnerability (CVE-2024-49039) by checking the
-
Find Devices Running AppContainers:
- Next, it looks for processes on those vulnerable devices that are running with a command line containing "/appcontainer". This indicates that a low-privilege AppContainer is being used. It creates another list of device names that match this criterion.
-
Detect Privilege Escalation:
- Finally, the query checks for any processes on the devices identified in the previous step that have undergone a privilege escalation, indicated by the
ProcessTokenElevationbeing "TokenElevationTypeFull". This suggests that an attacker might have successfully elevated privileges on a vulnerable device.
- Finally, the query checks for any processes on the devices identified in the previous step that have undergone a privilege escalation, indicated by the
In summary, this query helps security analysts detect if an attacker has exploited the CVE-2024-49039 vulnerability to elevate privileges on a device that initially ran a low-privilege AppContainer.
Details
Steven Lim
Released: November 15, 2024
Tables
DeviceTvmSoftwareVulnerabilitiesDeviceProcessEvents
Keywords
DeviceTvmSoftwareVulnerabilitiesDeviceProcessEventsProcessCommandLineDeviceNameProcessTokenElevation
Operators
let|where==containshas_anydistinct