Detect Windows Proxy Driver Spoofing via Malicious Signed Driver in Splunk
CVE-2024-26234 is a medium-severity (CVSS 6.7) proxy driver spoofing vulnerability in Windows. The vulnerability was discovered when a malicious driver signed with a valid Microsoft Hardware Compatibility Publisher certificate (WHCP) was found in the wild — the driver impersonated a legitimate Xiaomi application but contained proxy/backdoor functionality. The flaw relates to improper access control (CWE-284) in how Windows handles proxy driver installations. Despite the medium CVSS score, this vulnerability has forensic significance as it demonstrates abuse of the Microsoft WHCP signing process for driver-level persistence and traffic interception. It requires high privileges to exploit (local), limiting its attack surface to post-compromise or insider threat scenarios. Useful for detecting signed malicious drivers and driver-based persistence on Windows endpoints.
MITRE ATT&CK
- Tactic
- Defense Evasion Persistence
SPL Detection Query
index=endpoint sourcetype IN ("XmlWinEventLog:Microsoft-Windows-Sysmon/Operational",
"WinEventLog:System", "crowdstrike:events:sensor")
(
(
(EventCode=6 OR event_simpleName="DriverLoad")
AND (
match(ImageLoaded, "(?i)(proxy|tunnel|inject|hook|filter|intercept)")
OR match(ImageLoaded, "(?i)(\\\\Temp\\\\|AppData\\\\|Downloads\\\\)")
)
)
OR
(
(EventCode=7045 OR EventCode=4697)
AND ServiceType IN ("kernel mode driver", "1")
AND (
match(ServiceFileName, "(?i)(proxy|filter|hook|inject|\\\\Temp\\\\|AppData\\\\ )")
OR NOT match(ServiceFileName, "(?i)(windows|system32|syswow64|program files)")
)
)
)
| eval CVE="CVE-2024-26234"
| eval ThreatType=case(
EventCode=6, "Suspicious-Driver-Load",
EventCode=7045, "New-Kernel-Service-Install",
EventCode=4697, "Service-Installed-Via-SCM",
true(), "Driver-Anomaly"
)
| stats count AS Events,
values(ImageLoaded) AS DriversLoaded,
values(ServiceFileName) AS ServiceFiles,
values(Signature) AS Signatures
BY host, user, CVE, ThreatType, _time span=1h
| where Events >= 1
| table _time, host, user, ThreatType, DriversLoaded, ServiceFiles, Signatures, Events, CVE
| sort - EventsDetects CVE-2024-26234 and malicious signed driver activity: Sysmon Event ID 6 (driver load) with proxy/hook patterns or non-standard paths, and Windows Event IDs 7045/4697 (new service/kernel driver installation) with suspicious ImagePath values. The combination of a kernel mode driver loaded from a user-writable path is a high-confidence indicator.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate VPN or security software kernel driver installations from standard paths
- Hardware driver updates installing filter drivers (sound cards, USB controllers)
Other platforms for CVE-2024-26234
Testing Methodology
Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Install test kernel driver service from non-standard path
Expected signal: Windows Event ID 7045 — new service with kernel driver type and %TEMP% path; Sysmon Event ID 6 with non-standard path.
Unlock Pro Content
Get the full detection package for CVE-2024-26234 including response playbook, investigation guide, and atomic red team tests.