KQL Search

Query Details

HomeAI ToolsDevice Query

Detecting Zero Day CVE 2025 21333 Privilege Escalation

Query

// Detecting Zero-Day CVE-2025-21333 Privilege Escalation

// https://securityonline.info/windows-hyper-v-zero-day-cve-2025-21333-poc-drops-system-access-exposed/
// https://github.com/MrAle98/CVE-2025-21333-POC

let QueryPeriod = 30d;
let DetectionPeriod = 1h;
let HyperVEnabledEndpoint =
DeviceProcessEvents
| where Timestamp > ago(QueryPeriod)
| where FileName == "WindowsSandboxServer.exe"
| distinct DeviceId;
let VulnerableEndpoint =
DeviceTvmSoftwareVulnerabilities
| where CveId == "CVE-2025-21333"
| distinct DeviceId;
let NewExePOCCreation =
DeviceFileEvents
| where Timestamp > ago(DetectionPeriod)
| where ActionType == "FileCreated"
| where FileName endswith ".exe"
| distinct FileName;
DeviceEvents
| where Timestamp > ago(DetectionPeriod)
| where ActionType == "ProcessPrimaryTokenModified"
| where FileName has_any(NewExePOCCreation)
| where DeviceId has_any(HyperVEnabledEndpoint) and DeviceId has_any(VulnerableEndpoint)

Explanation

This query is designed to detect potential exploitation of a zero-day vulnerability, specifically CVE-2025-21333, which involves privilege escalation in Windows Hyper-V environments. Here's a simplified breakdown of what the query does:

  1. Query Period and Detection Period:

    • It looks at data from the past 30 days (QueryPeriod) and focuses on events from the last hour (DetectionPeriod).

  2. Identify Hyper-V Enabled Endpoints:

    • It checks for devices that have run the "WindowsSandboxServer.exe" process in the last 30 days, indicating that Hyper-V is enabled on these endpoints.

  3. Identify Vulnerable Endpoints:

    • It identifies devices that have the specific vulnerability CVE-2025-21333.

  4. Detect New Executable Files:

    • It looks for any new executable files (ending with ".exe") created in the last hour.

  5. Detect Privilege Escalation Attempts:

    • It searches for events where a process's primary token was modified (a sign of potential privilege escalation) in the last hour.
    • It cross-references these events to ensure they involve the newly created executables and occur on devices that are both Hyper-V enabled and vulnerable to CVE-2025-21333. In summary, this query is a security measure to detect suspicious activities that might indicate an attempt to exploit a specific vulnerability in a Hyper-V environment, focusing on new executable files and privilege escalation attempts.

Details

Steven Lim profile picture

Steven Lim

Released: March 6, 2025

Tables

DeviceProcessEventsDeviceTvmSoftwareVulnerabilitiesDeviceFileEventsDeviceEvents

Keywords

DeviceProcessEventsDeviceTvmSoftwareVulnerabilitiesDeviceFileEventsDeviceEvents

Operators

letagodistinctendswithhas_anywhere

Actions