CVE-2024-26234 CrowdStrike LogScale · LogScale

Detect CVE-2024-26234 — Windows Proxy Driver Spoofing via Malicious Signed Driver in CrowdStrike LogScale

Detects exploitation of CVE-2024-26234, a Windows Proxy Driver Spoofing vulnerability where threat actors abuse Microsoft's WHQL signing process to load a malicious signed kernel driver. The driver installs a proxy component enabling persistent backdoor access. Severity is elevated given weaponized exploit status and kernel-level code execution potential.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation Defense Evasion

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName=DriverLoad
| DriverLoadFlags != "0x00000004"
| ImageFileName = /\.sys$/i
| ImageSignerName = /microsoft/i
| ImageSigningLevel in (4, 6, 8, 12)
| join type=inner (
    #event_simpleName=NetworkConnectIP4
    | RemotePort in [80, 443, 1080, 3128, 8080, 8443]
    | ImageFileName = /\.sys$/i
    | not RemoteAddressIP4 in ["127.0.0.1", "0:0:0:0:0:0:0:1"]
    | table aid, ImageFileName, RemoteAddressIP4, RemotePort
  ) by aid, ImageFileName
| table _time, aid, ComputerName, ImageFileName, ImageSignerName, RemoteAddressIP4, RemotePort
| sort -_time
high severity medium confidence

Correlates CrowdStrike DriverLoad events for Microsoft-signed .sys files with outbound network connections from the same driver binary, identifying potential CVE-2024-26234 proxy backdoor activity.

Data Sources

CrowdStrike Falcon

Required Tables

DriverLoadNetworkConnectIP4

False Positives & Tuning

  • Falcon sensor's own kernel driver network communication for telemetry
  • Third-party security product drivers with signed certificates connecting to cloud endpoints
  • Microsoft-signed WFP drivers used by legitimate VPN products
  • Windows network diagnostics using kernel drivers to test connectivity

Other platforms for CVE-2024-26234

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Deploy a self-signed WHQL-mimicking kernel driver

    Expected signal: Windows Security Event ID 7045 (service install) with ServiceType=kernel, Sysmon Event ID 6 (driver load) with ImageLoaded path in ProgramData, and Code Integrity event in Microsoft-Windows-CodeIntegrity/Operational log.

  2. Test 2Simulate proxy connection from a .sys-named process

    Expected signal: Sysmon Event ID 3 (network connection) with Image path ending in .sys, destination ports 1080 and 8080, and non-loopback destination IP.

  3. Test 3Extract and inspect driver certificate chain for WHQL abuse indicators

    Expected signal: Process creation event for sigcheck64.exe with command line referencing the driver path. Output file creation in C:\Temp\.

  4. Test 4Registry persistence check for kernel driver service entry

    Expected signal: Sysmon Event ID 13 (registry value set) for HKLM\SYSTEM\CurrentControlSet\Services\SimProxyDrv\ImagePath with a value pointing to a non-standard driver path, and Windows Security Event ID 4657 (registry value modified) if object access auditing is enabled.

Last updated: 2026-06-20 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2024-26234 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0003PersistenceTA0004Privilege EscalationTA0005Defense Evasion

Related Techniques

T1014RootkitT1543.003Windows ServiceT1553.006Code Signing Policy ModificationT1090Proxy

Same Tactic: Persistence

Popular Detections