Detect CVE-2024-26234 — Windows Proxy Driver Spoofing via Malicious Signed Driver in IBM QRadar
Detects exploitation of CVE-2024-26234, a Windows Proxy Driver Spoofing vulnerability where threat actors abuse Microsoft's WHQL signing process to load a malicious signed kernel driver. The driver installs a proxy component enabling persistent backdoor access. Severity is elevated given weaponized exploit status and kernel-level code execution potential.
MITRE ATT&CK
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
logsourcename(logsourceid) AS log_source,
"sourceip",
"destinationip",
"destinationport",
"filename",
"username",
QIDNAME(qid) AS event_name,
UTF8(payload) AS raw_event
FROM events
WHERE
LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
AND (
(qid IN (SELECT qid FROM QIDMap WHERE eventname LIKE '%Driver%Install%' OR eventname LIKE '%Service Install%')
AND UTF8(payload) ILIKE '%.sys%'
AND UTF8(payload) ILIKE '%microsoft%')
OR
("destinationport" IN (1080, 3128, 8080, 8443)
AND "filename" LIKE '%.sys')
)
AND LOGSOURCEGROUPNAME(logsourceid) NOT LIKE '%honeypot%'
LAST 24 HOURS
ORDER BY devicetime DESCIdentifies Microsoft-signed driver installation events and outbound proxy port connections from .sys processes in QRadar, correlating Windows Security and Sysmon log sources.
Data Sources
Required Tables
False Positives & Tuning
- Authorized network proxy software relying on signed kernel filter drivers
- Enterprise DLP solutions with kernel drivers communicating with management servers
- Hardware vendor drivers (NIC, storage) triggering on port-based heuristics
- Windows Update driver installations during scheduled maintenance windows
Other platforms for CVE-2024-26234
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Deploy a self-signed WHQL-mimicking kernel driver
Expected signal: Windows Security Event ID 7045 (service install) with ServiceType=kernel, Sysmon Event ID 6 (driver load) with ImageLoaded path in ProgramData, and Code Integrity event in Microsoft-Windows-CodeIntegrity/Operational log.
- Test 2Simulate proxy connection from a .sys-named process
Expected signal: Sysmon Event ID 3 (network connection) with Image path ending in .sys, destination ports 1080 and 8080, and non-loopback destination IP.
- Test 3Extract and inspect driver certificate chain for WHQL abuse indicators
Expected signal: Process creation event for sigcheck64.exe with command line referencing the driver path. Output file creation in C:\Temp\.
- Test 4Registry persistence check for kernel driver service entry
Expected signal: Sysmon Event ID 13 (registry value set) for HKLM\SYSTEM\CurrentControlSet\Services\SimProxyDrv\ImagePath with a value pointing to a non-standard driver path, and Windows Security Event ID 4657 (registry value modified) if object access auditing is enabled.
Unlock Pro Content
Get the full detection package for CVE-2024-26234 including response playbook, investigation guide, and atomic red team tests.