Detect CVE-2024-26234 — Windows Proxy Driver Spoofing via Malicious Signed Driver in Google Chronicle
Detects exploitation of CVE-2024-26234, a Windows Proxy Driver Spoofing vulnerability where threat actors abuse Microsoft's WHQL signing process to load a malicious signed kernel driver. The driver installs a proxy component enabling persistent backdoor access. Severity is elevated given weaponized exploit status and kernel-level code execution potential.
MITRE ATT&CK
YARA-L Detection Query
rule CVE_2024_26234_proxy_driver_spoofing {
meta:
author = "df00tech"
description = "Detects CVE-2024-26234 — malicious Microsoft-signed proxy driver loading and establishing outbound connections"
severity = "HIGH"
priority = "HIGH"
reference = "https://nvd.nist.gov/vuln/detail/CVE-2024-26234"
tactic = "TA0003"
technique = "T1543.003"
events:
$driver_load.metadata.event_type = "PROCESS_LAUNCH"
$driver_load.principal.process.file.full_path = /\.sys$/i
$driver_load.target.file.signature.signer_name = /microsoft/i
$driver_load.target.file.signature.trust_chain_error = false
$driver_load.principal.hostname = $hostname
$network_conn.metadata.event_type = "NETWORK_CONNECTION"
$network_conn.principal.process.file.full_path = /\.sys$/i
$network_conn.target.port in (80, 443, 1080, 3128, 8080, 8443)
$network_conn.principal.hostname = $hostname
match:
$hostname over 30m
condition:
$driver_load and $network_conn
}Chronicle YARA-L 2.0 rule correlating Microsoft-signed kernel driver loads with proxy-port network connections from .sys processes on the same host within 30 minutes.
Data Sources
Required Tables
False Positives & Tuning
- Authorized Microsoft-signed network drivers performing legitimate connectivity checks
- Security endpoint agents using kernel drivers for network traffic inspection
- Windows Defender Network Inspection System (NIS) driver activity
- Signed third-party firewall drivers with management plane connections
Other platforms for CVE-2024-26234
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Deploy a self-signed WHQL-mimicking kernel driver
Expected signal: Windows Security Event ID 7045 (service install) with ServiceType=kernel, Sysmon Event ID 6 (driver load) with ImageLoaded path in ProgramData, and Code Integrity event in Microsoft-Windows-CodeIntegrity/Operational log.
- Test 2Simulate proxy connection from a .sys-named process
Expected signal: Sysmon Event ID 3 (network connection) with Image path ending in .sys, destination ports 1080 and 8080, and non-loopback destination IP.
- Test 3Extract and inspect driver certificate chain for WHQL abuse indicators
Expected signal: Process creation event for sigcheck64.exe with command line referencing the driver path. Output file creation in C:\Temp\.
- Test 4Registry persistence check for kernel driver service entry
Expected signal: Sysmon Event ID 13 (registry value set) for HKLM\SYSTEM\CurrentControlSet\Services\SimProxyDrv\ImagePath with a value pointing to a non-standard driver path, and Windows Security Event ID 4657 (registry value modified) if object access auditing is enabled.
Unlock Pro Content
Get the full detection package for CVE-2024-26234 including response playbook, investigation guide, and atomic red team tests.