CVE-2022-24527 Microsoft Connected Cache LPE
Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache
Sigma rule (View on GitHub)
1title: CVE-2022-24527 Microsoft Connected Cache LPE
2id: e0a41412-c69a-446f-8e6e-0e6d7483dad7
3status: test
4description: Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache
5references:
6 - https://www.rapid7.com/blog/post/2022/04/12/cve-2022-24527-microsoft-connected-cache-local-privilege-escalation-fixed/
7author: Florian Roth (Nextron Systems)
8date: 2022-04-13
9tags:
10 - attack.execution
11 - attack.privilege-escalation
12 - attack.t1059.001
13 - cve.2022-24527
14 - detection.emerging-threats
15logsource:
16 category: file_event
17 product: windows
18detection:
19 selection:
20 TargetFilename|endswith: 'WindowsPowerShell\Modules\webAdministration\webAdministration.psm1'
21 filter:
22 User|contains: # covers many language settings
23 - 'AUTHORI'
24 - 'AUTORI'
25 condition: selection and not filter
26falsepositives:
27 - Unknown
28level: high
References
-
On April 12, 2022, Microsoft published CVE-2022-24527, a local privilege escalation vulnerability in Microsoft Connected Cache.
Read More
Related rules
- ChromeLoader Malware Execution
- Operation Wocao Activity
- Operation Wocao Activity - Security
- Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309)
- CosmicDuke Service Installation