CVE 2024 49039 Windows Task Scheduler Elevation Of Privilege Vulnerability
Query
// Zero-Day 🪲 CVE-2024-49039
// https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49039
// A KQL query to detect an authenticated attacker who initially runs a low-privilege AppContainer, which is later elevated with privileges, referencing the Microsoft CVE-2024-49039 Windows Task Scheduler Elevation of Privilege Vulnerability.
let VulnerableEndpoint =
DeviceTvmSoftwareVulnerabilities
| where CveId == "CVE-2024-49039"
| distinct DeviceName;
let VulnerableEPwithAppContainer =
DeviceProcessEvents
| where ProcessCommandLine contains "/appcontainer"
| where DeviceName has_any(VulnerableEndpoint)
| distinct DeviceName;
DeviceProcessEvents
| where DeviceName has_any(VulnerableEPwithAppContainer)
| where ProcessTokenElevation == "TokenElevationTypeFull"Explanation
This KQL query is designed to detect potential exploitation of a specific security vulnerability, CVE-2024-49039, which involves privilege escalation through the Windows Task Scheduler. Here's a simplified breakdown of what the query does:
-
Identify Vulnerable Devices:
- The query first identifies devices that have the specific vulnerability (CVE-2024-49039) by checking the
DeviceTvmSoftwareVulnerabilitiestable. It creates a list of device names that are affected.
- The query first identifies devices that have the specific vulnerability (CVE-2024-49039) by checking the
-
Find Devices Running AppContainers:
- Next, it looks for processes on those vulnerable devices that are running with a command line containing "/appcontainer". This indicates that a low-privilege AppContainer is being used. It creates another list of device names that match this criterion.
-
Detect Privilege Escalation:
- Finally, the query checks for any processes on the devices identified in the previous step that have undergone a privilege escalation, indicated by the
ProcessTokenElevationbeing "TokenElevationTypeFull". This suggests that an attacker might have successfully elevated privileges on a vulnerable device.
- Finally, the query checks for any processes on the devices identified in the previous step that have undergone a privilege escalation, indicated by the
In summary, this query helps security analysts detect if an attacker has exploited the CVE-2024-49039 vulnerability to elevate privileges on a device that initially ran a low-privilege AppContainer.
Details

Steven Lim
Released: November 15, 2024
Tables
DeviceTvmSoftwareVulnerabilitiesDeviceProcessEvents
Keywords
DeviceTvmSoftwareVulnerabilitiesProcessEventsCommandLineNameTokenElevation
Operators
let|where==containshas_anydistinct