CVE-2024-26234 Elastic Security · Elastic

Detect CVE-2024-26234 — Windows Proxy Driver Spoofing via Malicious Signed Driver in Elastic Security

Detects exploitation of CVE-2024-26234, a Windows Proxy Driver Spoofing vulnerability where threat actors abuse Microsoft's WHQL signing process to load a malicious signed kernel driver. The driver installs a proxy component enabling persistent backdoor access. Severity is elevated given weaponized exploit status and kernel-level code execution potential.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation Defense Evasion

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.id with maxspan=30m
  [driver where event.action == "driver-load"
   and dll.code_signature.subject_name like~ "*Microsoft*"
   and dll.code_signature.trusted == true
   and not process.name in~ ("System", "smss.exe", "services.exe", "wininit.exe")]
  [network where event.type == "connection"
   and process.executable like~ "*.sys"
   and destination.port in (80, 443, 1080, 3128, 8080, 8443)
   and not destination.ip in ("127.0.0.1", "::1")]
high severity medium confidence

EQL sequence correlating a Microsoft-signed driver load with a subsequent outbound network connection initiated by a .sys process within 30 minutes on the same host.

Data Sources

Elastic SecurityEndpoint agent

Required Tables

logs-endpoint.events.driver-*logs-endpoint.events.network-*

False Positives & Tuning

  • Legitimate VPN clients using signed kernel drivers for tunnel establishment
  • Network monitoring tools with kernel drivers sending telemetry
  • Antivirus products loading signed drivers and connecting for cloud lookups
  • Windows Defender components with kernel drivers performing signature updates

Other platforms for CVE-2024-26234

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Deploy a self-signed WHQL-mimicking kernel driver

    Expected signal: Windows Security Event ID 7045 (service install) with ServiceType=kernel, Sysmon Event ID 6 (driver load) with ImageLoaded path in ProgramData, and Code Integrity event in Microsoft-Windows-CodeIntegrity/Operational log.

  2. Test 2Simulate proxy connection from a .sys-named process

    Expected signal: Sysmon Event ID 3 (network connection) with Image path ending in .sys, destination ports 1080 and 8080, and non-loopback destination IP.

  3. Test 3Extract and inspect driver certificate chain for WHQL abuse indicators

    Expected signal: Process creation event for sigcheck64.exe with command line referencing the driver path. Output file creation in C:\Temp\.

  4. Test 4Registry persistence check for kernel driver service entry

    Expected signal: Sysmon Event ID 13 (registry value set) for HKLM\SYSTEM\CurrentControlSet\Services\SimProxyDrv\ImagePath with a value pointing to a non-standard driver path, and Windows Security Event ID 4657 (registry value modified) if object access auditing is enabled.

Last updated: 2026-06-20 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2024-26234 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0003PersistenceTA0004Privilege EscalationTA0005Defense Evasion

Related Techniques

T1014RootkitT1543.003Windows ServiceT1553.006Code Signing Policy ModificationT1090Proxy

Same Tactic: Persistence

Popular Detections