Query Details
Windows File Explorer Elevation Of Privilege Vulnerability CVE 2024 38100 Exploited
Query
**Windows File Explorer Elevation Of Privilege Vulnerability(CVE-2024-38100) Exploited** This KQL query helps to identify a Windows vulnerability which resides in the ShellWindows DCOM object within the Windows File Explorer process, allowing attackers to exploit improper access controls when File Explorer runs at a High Integrity Level. By leveraging COM Cross-Session Activation (Specifically, the ShellWindows DCOM object '9BA05972-F6A8-11CF-A442-00A0C90A8F39'), attackers can escalate privileges to execute arbitrary commands or launch reverse shells using methods like ShellExecute. With a CVSS score of 7.8 (High), exploitation can lead to unauthorized access to sensitive files, installation of malware, or full system compromise. The attack has low complexity, requires local access, and became more dangerous after a proof-of-concept was publicly disclosed in July 2024. ``` DeviceProcessEvents | where ProcessCommandLine contains "9BA05972-F6A8-11CF-A442-00A0C90A8F39" | join kind=inner ( DeviceInfo) on $left.DeviceId == $right.DeviceId | where (OSDistribution has "WindowsServer2016" and OSBuild < 14393) or (OSDistribution has "WindowsServer2019" and OSBuild < 17763) or (OSDistribution has "WindowsServer2022" and OSVersionInfo !contains "23H2" and OSBuild < 20348) or (OSDistribution has "WindowsServer2022" and OSVersionInfo contains "23H2" and OSBuild < 25398) | distinct OSVersion,OSArchitecture, OSVersionInfo, OSDistribution, OSBuild ,ProcessCommandLine ```
Explanation
This KQL query is designed to detect potential exploitation of a specific Windows vulnerability, identified as CVE-2024-38100, which affects the Windows File Explorer. Here's a simplified breakdown of what the query does:
-
Target Vulnerability: The query focuses on a vulnerability in the ShellWindows DCOM object within Windows File Explorer, which can be exploited to gain elevated privileges.
-
Detection Method:
- It looks for processes that have executed commands involving the specific DCOM object identifier
9BA05972-F6A8-11CF-A442-00A0C90A8F39, which is associated with the vulnerability.
- It looks for processes that have executed commands involving the specific DCOM object identifier
-
System Criteria:
- The query filters results to include only certain Windows Server versions that are potentially vulnerable:
- Windows Server 2016 with builds lower than 14393. - Windows Server 2019 with builds lower than 17763. - Windows Server 2022 with builds lower than 20348, unless the version info contains "23H2", in which case it checks for builds lower than 25398.
- The query filters results to include only certain Windows Server versions that are potentially vulnerable:
-
Output:
- It provides a distinct list of operating system details and the command line of the processes that might indicate exploitation attempts. This includes OS version, architecture, distribution, build, and the specific command line executed.
In essence, this query helps security analysts identify systems that might be at risk of this vulnerability being exploited, allowing them to take appropriate action to secure those systems.
Details
Sergio Albea
Released: January 30, 2025
Tables
DeviceProcessEventsDeviceInfo
Keywords
DeviceProcessEventsDeviceInfoOSVersionOSArchitectureOSVersionInfoOSDistributionOSBuildProcessCommandLine
Operators
DeviceProcessEventswherecontainsjoinkind=inneron==has<!containsordistinct