CVE-2024-26234

Windows Proxy Driver Spoofing via Malicious Signed Driver

Defense Evasion Persistence

CVE-2024-26234 is a medium-severity (CVSS 6.7) proxy driver spoofing vulnerability in Windows. The vulnerability was discovered when a malicious driver signed with a valid Microsoft Hardware Compatibility Publisher certificate (WHCP) was found in the wild — the driver impersonated a legitimate Xiaomi application but contained proxy/backdoor functionality. The flaw relates to improper access control (CWE-284) in how Windows handles proxy driver installations. Despite the medium CVSS score, this vulnerability has forensic significance as it demonstrates abuse of the Microsoft WHCP signing process for driver-level persistence and traffic interception. It requires high privileges to exploit (local), limiting its attack surface to post-compromise or insider threat scenarios. Useful for detecting signed malicious drivers and driver-based persistence on Windows endpoints.

Microsoft Sentinel / Defender
kusto 
// CVE-2024-26234 — Windows Proxy Driver Spoofing
// Detect malicious signed drivers and suspicious proxy driver installations
// Key signals: new driver loads from unexpected paths, proxy-related driver installs,
//              drivers with revoked or suspicious certificates
let SuspiciousDriverLoad =
DeviceEvents
| where TimeGenerated > ago(24h)
| where ActionType == "DriverLoad" or ActionType == "ServiceInstalled"
| where AdditionalFields has_any (
    "proxy", "vpn", "tunnel", "inject", "hook",
    "filter", "intercept", "redirect"
  )
    or InitiatingProcessFolderPath has_any ("%Temp%", "\\AppData\\", "\\Downloads\\")
| extend ThreatIndicator = "CVE-2024-26234-Suspicious-Driver";
let DriverFromUserPath =
DeviceImageLoadEvents
| where TimeGenerated > ago(24h)
| where FileName endswith ".sys"
| where FolderPath has_any (
    "Temp", "AppData", "Downloads", "ProgramData",
    "Users"
  )
    and not FolderPath has "\\Windows\\"
    and not FolderPath has "\\Program Files\\"
| extend ThreatIndicator = "CVE-2024-26234-Driver-NonStandard-Path";
let ProxyServiceInstall =
DeviceRegistryEvents
| where TimeGenerated > ago(24h)
| where RegistryKey has_any (
    "HKLM\\SYSTEM\\CurrentControlSet\\Services",
    "HKLM\\SOFTWARE\\Classes\\Protocols\\Handler"
  )
| where RegistryValueName in~ ("Start", "ImagePath", "Type")
| where RegistryValueData has_any (".sys", "proxy", "filter", "hook")
| where not (InitiatingProcessFileName in~ ("msiexec.exe", "setup.exe", "install.exe")
    and InitiatingProcessFolderPath has "Program Files")
| extend ThreatIndicator = "CVE-2024-26234-Proxy-Service-Registry";
SuspiciousDriverLoad
| union DriverFromUserPath
| union ProxyServiceInstall
| sort by TimeGenerated desc
high severity medium confidence

Data Sources

Microsoft Defender for Endpoint (DeviceEvents) Microsoft Defender for Endpoint (DeviceImageLoadEvents) Microsoft Defender for Endpoint (DeviceRegistryEvents)

Required Tables

DeviceEvents DeviceImageLoadEvents DeviceRegistryEvents

False Positives

  • Legitimate VPN client drivers installing via msiexec from Program Files (excluded in query)
  • Security software (EDR, AV) installing kernel filter drivers
  • Network monitoring tools (Wireshark WinPcap/Npcap) installing capture drivers
Last updated: 2026-04-22 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2024-26234 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1014Rootkit

Same Tactic: Defense Evasion

Popular Detections