Potential CVE-2024-35250 Exploitation Activity

 1title: Potential CVE-2024-35250 Exploitation Activity
 2id: 17ce9373-2163-4a2c-90ba-f91e9ef7a8c1
 3status: experimental
 4description: |
 5        Detects potentially suspicious loading of "ksproxy.ax", which may indicate an attempt to exploit CVE-2024-35250.
 6references:
 7    - https://thehackernews.com/2024/12/cisa-and-fbi-raise-alerts-on-exploited.html
 8    - https://github.com/varwara/CVE-2024-35250
 9    - https://devco.re/blog/2024/08/23/streaming-vulnerabilities-from-windows-kernel-proxying-to-kernel-part1-en/
10    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
11author: '@eyezuhk Isaac Fernandes'
12date: 2025-02-19
13tags:
14    - attack.privilege-escalation
15    - attack.t1068
16    - cve.2024-35250
17    - detection.emerging-threats
18logsource:
19    category: image_load
20    product: windows
21detection:
22    selection:
23        ImageLoaded|endswith: '\ksproxy.ax'
24    filter_main_system_paths:
25        Image|startswith:
26            - 'C:\Program Files\'
27            - 'C:\Program Files (x86)\'
28            - 'C:\Windows\System32\'
29            - 'C:\Windows\SysWOW64\'
30    filter_optional_teams:
31        Image|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe'
32    filter_optional_zoom:
33        Image|endswith: '\AppData\Roaming\Zoom\bin\Zoom.exe'
34    filter_optional_firefox:
35        Image|endswith: '\AppData\Local\Mozilla Firefox\firefox.exe'
36    filter_optional_chrome:
37        Image|endswith: '\AppData\Local\Google\Chrome\Application\chrome.exe'
38    filter_optional_opera:
39        Image|endswith: '\AppData\Local\Programs\Opera\opera.exe'
40    filter_optional_discord:
41        Image|endswith: '\AppData\Local\Discord\app-*\Discord.exe'
42    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
43falsepositives:
44    - Legitimate applications that use Windows Stream Interface APIs.
45    - Media applications that use DirectShow filters.
46level: medium

References

• CISA and FBI Raise Alerts on Exploited Flaws and Expanding HiatusRAT Campaign

  

  CISA adds Adobe ColdFusion and Microsoft Windows flaws to exploited list; FBI warns of HiatusRAT targeting IoT devices.

  
  Read More

• GitHub - varwara/CVE-2024-35250: PoC for the Untrusted Pointer Dereference in the ks.sys driver

  

  PoC for the Untrusted Pointer Dereference in the ks.sys driver - varwara/CVE-2024-35250

  
  Read More

• Streaming vulnerabilities from Windows Kernel - Proxying to Kernel - Part I | DEVCORE 戴夫寇爾

  

  This research will discuss an overlooked attack surface that allowed us to find more than ten vulnerabilities within two months. Additionally, we will delve into a proxy-based logical vulnerability type that allows us to bypass most validations, enabling us to successfully exploit Windows 11 in Pwn2Own Vancouver 2024.

  
  Read More

• Known Exploited Vulnerabilities Catalog | CISA

  For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild. Organizations should use the KEV catalog as an input to their vulnerability management prioritization framework.How to use the KEV CatalogThe KEV catalog is also available in these formats:

  
  Read More

Related rules

• Exploiting CVE-2019-1388
• Potential CVE-2021-41379 Exploitation Attempt
• InstallerFileTakeOver LPE CVE-2021-41379 File Create Event
• Suspicious Sysmon as Execution Parent
• Exploiting SetupComplete.cmd CVE-2019-1378