CVE-2023-36424 - Microsoft Windows Out-of-Bounds Read Exploitation
Detects exploitation attempts of CVE-2023-36424, a Microsoft Windows out-of-bounds read vulnerability (CWE-125) listed in CISA's Known Exploited Vulnerabilities catalog. Out-of-bounds read vulnerabilities in Windows kernel or system components can be leveraged for privilege escalation, information disclosure, or as a stepping stone in exploit chains. This detection monitors for anomalous process behavior, crash artifacts, and privilege escalation patterns consistent with exploitation of this class of vulnerability.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- Microsoft
- Product
- Windows
Weakness (CWE)
Timeline
- Disclosed
- April 13, 2026
References & Proof of Concept
CVSS
What is CVE-2023-36424 CVE-2023-36424 - Microsoft Windows Out-of-Bounds Read Exploitation?
CVE-2023-36424 - Microsoft Windows Out-of-Bounds Read Exploitation (CVE-2023-36424) maps to the Privilege Escalation and Credential Access and Execution tactics — the adversary is trying to gain higher-level permissions in MITRE ATT&CK.
This page provides production-ready detection logic for CVE-2023-36424 - Microsoft Windows Out-of-Bounds Read Exploitation, covering the data sources and telemetry it touches: Microsoft Sentinel SecurityEvent, Microsoft Defender for Endpoint DeviceProcessEvents, Microsoft Defender for Endpoint DeviceEvents. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
let timeWindow = 24h;
let suspiciousProcesses = dynamic(["werfault.exe", "ntoskrnl.exe", "lsass.exe", "csrss.exe"]);
union
(
SecurityEvent
| where TimeGenerated >= ago(timeWindow)
| where EventID in (4688, 4625, 4672)
| where NewProcessName has_any ("werfault.exe", "ReportFault") or SubjectLogonId != "0x3e7"
| where SubjectUserName !endswith "$"
| project TimeGenerated, EventID, SubjectUserName, SubjectLogonId, NewProcessName, ProcessId, Computer
),
(
DeviceProcessEvents
| where Timestamp >= ago(timeWindow)
| where FileName =~ "werfault.exe" or InitiatingProcessFileName in~ (suspiciousProcesses)
| where AccountName !endswith "$"
| project Timestamp, DeviceName, AccountName, FileName, ProcessId, InitiatingProcessFileName, InitiatingProcessId, ProcessCommandLine
),
(
DeviceEvents
| where Timestamp >= ago(timeWindow)
| where ActionType == "MemoryAccessViolation" or ActionType == "ExploitGuardNullPage"
| project Timestamp, DeviceName, AccountName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine
)
| where isnotempty(Computer) or isnotempty(DeviceName)Detects indicators of CVE-2023-36424 exploitation including Windows Error Reporting process crashes, memory access violations, and anomalous privilege events on Windows systems. Correlates SecurityEvent privilege events with DeviceProcessEvents crash artifacts.
Data Sources
Required Tables
False Positives
- Legitimate application crashes triggering WerFault.exe invocation during normal operations
- Software developers or QA engineers running fuzz testing or debugging sessions on Windows
- Antivirus or EDR products performing memory scanning that triggers access violation telemetry
- Windows Update or patching processes that temporarily trigger error reporting activity
Sigma rule & cross-platform mapping
The detection logic for CVE-2023-36424 - Microsoft Windows Out-of-Bounds Read Exploitation (CVE-2023-36424) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: process_creation
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2023-36424
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Out-of-Bounds Read Crash via Malformed Input
Expected signal: Windows Event ID 1000 (Application Error) and 1001 (WER) in Application log; WerFault.exe process launch visible in Sysmon Event ID 1; crash dump file created in %LOCALAPPDATA%\CrashDumps
- Test 2Privilege Escalation Simulation Following Crash Artifact
Expected signal: Windows Event ID 4672 (Special Privileges Assigned) in Security log; Process creation events in Sysmon for cmd.exe and powershell.exe; elevated process token in DeviceProcessEvents
- Test 3Memory Dump Creation Mimicking Exploit Artifact
Expected signal: Sysmon Event ID 11 (FileCreate) for .dmp file in CrashDumps directory; DeviceFileEvents entry for the dump file creation; rundll32.exe process creation with comsvcs.dll MiniDump arguments in process telemetry
- Test 4WerFault.exe Manual Invocation Simulation
Expected signal: Sysmon Event ID 1 showing WerFault.exe launched by PowerShell (non-standard parent); DeviceProcessEvents with FileName=werfault.exe and InitiatingProcessFileName=powershell.exe; potential Event ID 1001 in Application log
Unlock Pro Content
Get the full detection package for CVE-2023-36424 including response playbook, investigation guide, and atomic red team tests.