CVE-2024-26234 — Windows Proxy Driver Spoofing via Malicious Signed Driver
Detects exploitation of CVE-2024-26234, a Windows Proxy Driver Spoofing vulnerability where threat actors abuse Microsoft's WHQL signing process to load a malicious signed kernel driver. The driver installs a proxy component enabling persistent backdoor access. Severity is elevated given weaponized exploit status and kernel-level code execution potential.
Vulnerability Intelligence
WeaponizedAffected Software
- Vendor
- Microsoft
- Product
- Windows
- Versions
- Windows 10, Windows 11, Windows Server 2008-2022
Weakness (CWE)
Timeline
- Disclosed
- April 9, 2024
- Patched
- April 9, 2024
CVSS
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
What is CVE-2024-26234 CVE-2024-26234 — Windows Proxy Driver Spoofing via Malicious Signed Driver?
CVE-2024-26234 — Windows Proxy Driver Spoofing via Malicious Signed Driver (CVE-2024-26234) maps to the Persistence and Privilege Escalation and Defense Evasion tactics — the adversary is trying to maintain their foothold in MITRE ATT&CK.
This page provides production-ready detection logic for CVE-2024-26234 — Windows Proxy Driver Spoofing via Malicious Signed Driver, covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Sentinel. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
let suspiciousDrivers = DeviceEvents
| where ActionType == "DriverLoad"
| where InitiatingProcessFileName !in~ ("System", "smss.exe", "services.exe")
| project DeviceId, Timestamp, FileName, FolderPath, SHA256, InitiatingProcessFileName;
let signedByMicrosoft = suspiciousDrivers
| join kind=leftouter (
DeviceFileCertificateInfo
| where Signer contains "Microsoft" or Signer contains "Windows"
| project SHA256, Signer, SignerHash, IsTrusted
) on SHA256
| where IsTrusted == true;
signedByMicrosoft
| join kind=inner (
DeviceNetworkEvents
| where RemotePort in (80, 443, 1080, 8080, 8443)
| where InitiatingProcessFileName endswith ".sys" or RemoteUrl contains "proxy"
| project DeviceId, NetworkTimestamp=Timestamp, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessFileName
) on DeviceId
| where abs(datetime_diff('minute', Timestamp, NetworkTimestamp)) < 30
| project Timestamp, DeviceId, DriverFile=FileName, FolderPath, SHA256, Signer, RemoteIP, RemoteUrl, RemotePort
| order by Timestamp descCorrelates kernel driver loads signed by Microsoft with subsequent outbound proxy-like network connections from .sys processes, a key behavioral indicator of CVE-2024-26234 exploitation.
Data Sources
Required Tables
False Positives
- Legitimate Microsoft-signed network filter drivers (e.g., WFP callout drivers) establishing management connections
- VPN or network proxy software using signed kernel drivers for traffic interception
- Security products with kernel drivers performing telemetry upload
- Windows Update components loading signed drivers during patch cycles
Sigma rule & cross-platform mapping
The detection logic for CVE-2024-26234 — Windows Proxy Driver Spoofing via Malicious Signed Driver (CVE-2024-26234) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: network_connection
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2024-26234
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Deploy a self-signed WHQL-mimicking kernel driver
Expected signal: Windows Security Event ID 7045 (service install) with ServiceType=kernel, Sysmon Event ID 6 (driver load) with ImageLoaded path in ProgramData, and Code Integrity event in Microsoft-Windows-CodeIntegrity/Operational log.
- Test 2Simulate proxy connection from a .sys-named process
Expected signal: Sysmon Event ID 3 (network connection) with Image path ending in .sys, destination ports 1080 and 8080, and non-loopback destination IP.
- Test 3Extract and inspect driver certificate chain for WHQL abuse indicators
Expected signal: Process creation event for sigcheck64.exe with command line referencing the driver path. Output file creation in C:\Temp\.
- Test 4Registry persistence check for kernel driver service entry
Expected signal: Sysmon Event ID 13 (registry value set) for HKLM\SYSTEM\CurrentControlSet\Services\SimProxyDrv\ImagePath with a value pointing to a non-standard driver path, and Windows Security Event ID 4657 (registry value modified) if object access auditing is enabled.
Unlock Pro Content
Get the full detection package for CVE-2024-26234 including response playbook, investigation guide, and atomic red team tests.