Detect Windows Proxy Driver Spoofing via Malicious Signed Driver in Microsoft Sentinel
CVE-2024-26234 is a medium-severity (CVSS 6.7) proxy driver spoofing vulnerability in Windows. The vulnerability was discovered when a malicious driver signed with a valid Microsoft Hardware Compatibility Publisher certificate (WHCP) was found in the wild — the driver impersonated a legitimate Xiaomi application but contained proxy/backdoor functionality. The flaw relates to improper access control (CWE-284) in how Windows handles proxy driver installations. Despite the medium CVSS score, this vulnerability has forensic significance as it demonstrates abuse of the Microsoft WHCP signing process for driver-level persistence and traffic interception. It requires high privileges to exploit (local), limiting its attack surface to post-compromise or insider threat scenarios. Useful for detecting signed malicious drivers and driver-based persistence on Windows endpoints.
MITRE ATT&CK
- Tactic
- Defense Evasion Persistence
KQL Detection Query
// CVE-2024-26234 — Windows Proxy Driver Spoofing
// Detect malicious signed drivers and suspicious proxy driver installations
// Key signals: new driver loads from unexpected paths, proxy-related driver installs,
// drivers with revoked or suspicious certificates
let SuspiciousDriverLoad =
DeviceEvents
| where TimeGenerated > ago(24h)
| where ActionType == "DriverLoad" or ActionType == "ServiceInstalled"
| where AdditionalFields has_any (
"proxy", "vpn", "tunnel", "inject", "hook",
"filter", "intercept", "redirect"
)
or InitiatingProcessFolderPath has_any ("%Temp%", "\\AppData\\", "\\Downloads\\")
| extend ThreatIndicator = "CVE-2024-26234-Suspicious-Driver";
let DriverFromUserPath =
DeviceImageLoadEvents
| where TimeGenerated > ago(24h)
| where FileName endswith ".sys"
| where FolderPath has_any (
"Temp", "AppData", "Downloads", "ProgramData",
"Users"
)
and not FolderPath has "\\Windows\\"
and not FolderPath has "\\Program Files\\"
| extend ThreatIndicator = "CVE-2024-26234-Driver-NonStandard-Path";
let ProxyServiceInstall =
DeviceRegistryEvents
| where TimeGenerated > ago(24h)
| where RegistryKey has_any (
"HKLM\\SYSTEM\\CurrentControlSet\\Services",
"HKLM\\SOFTWARE\\Classes\\Protocols\\Handler"
)
| where RegistryValueName in~ ("Start", "ImagePath", "Type")
| where RegistryValueData has_any (".sys", "proxy", "filter", "hook")
| where not (InitiatingProcessFileName in~ ("msiexec.exe", "setup.exe", "install.exe")
and InitiatingProcessFolderPath has "Program Files")
| extend ThreatIndicator = "CVE-2024-26234-Proxy-Service-Registry";
SuspiciousDriverLoad
| union DriverFromUserPath
| union ProxyServiceInstall
| sort by TimeGenerated descDetects CVE-2024-26234 and similar malicious proxy/filter driver exploitation via three signals: (1) driver load events with proxy/tunnel/hook keywords, (2) .sys files loaded from non-standard paths (user temp/AppData directories), and (3) suspicious registry modifications to Windows services keys installing proxy-type drivers.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate VPN client drivers installing via msiexec from Program Files (excluded in query)
- Security software (EDR, AV) installing kernel filter drivers
- Network monitoring tools (Wireshark WinPcap/Npcap) installing capture drivers
Other platforms for CVE-2024-26234
Testing Methodology
Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Install test kernel driver service from non-standard path
Expected signal: Windows Event ID 7045 — new service with kernel driver type and %TEMP% path; Sysmon Event ID 6 with non-standard path.
Unlock Pro Content
Get the full detection package for CVE-2024-26234 including response playbook, investigation guide, and atomic red team tests.