Detect CVE-2024-26234 — Windows Proxy Driver Spoofing via Malicious Signed Driver in Sumo Logic CSE
Detects exploitation of CVE-2024-26234, a Windows Proxy Driver Spoofing vulnerability where threat actors abuse Microsoft's WHQL signing process to load a malicious signed kernel driver. The driver installs a proxy component enabling persistent backdoor access. Severity is elevated given weaponized exploit status and kernel-level code execution potential.
MITRE ATT&CK
Sumo Detection Query
_sourceCategory=windows/security OR _sourceCategory=windows/sysmon
| where EventID in ("7045", "6") or EventType = "DriverLoad"
| parse regex field=_raw "(?<driver_path>[A-Za-z]:\\\\[^\"<>|?*]+\.sys)" nodrop
| parse regex field=_raw "(?i)(?:SignerName|SubjectName)=\"(?<cert_signer>[^\"]+)\"" nodrop
| where isNull(cert_signer) OR cert_signer matches "*Microsoft*" OR cert_signer matches "*Windows*"
| where !isNull(driver_path)
| timeslice 5m
| count by _timeslice, _sourceHost, driver_path, cert_signer, EventID
| join
[
_sourceCategory=windows/sysmon EventID=3
| where DestinationPort in ("1080", "3128", "8080", "8443", "443")
| parse field=_raw "Image=(?<initiating_process>[^\r\n]+)" nodrop
| where initiating_process matches "*.sys"
| timeslice 5m
| count by _timeslice, _sourceHost, initiating_process, DestinationIp, DestinationPort
] on _timeslice, _sourceHost
| project _timeslice, _sourceHost, driver_path, cert_signer, initiating_process, DestinationIp, DestinationPort
| sort by _timeslice descCorrelates Windows driver installation and Sysmon network connection events to identify Microsoft-signed .sys files making outbound proxy connections, indicative of CVE-2024-26234.
Data Sources
False Positives & Tuning
- Legitimate remote access products using signed kernel components
- Sumo Logic's own collection agents if kernel-level
- Corporate proxy agents installed as kernel drivers
- Vulnerability scanners triggering driver loads during assessment
Other platforms for CVE-2024-26234
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Deploy a self-signed WHQL-mimicking kernel driver
Expected signal: Windows Security Event ID 7045 (service install) with ServiceType=kernel, Sysmon Event ID 6 (driver load) with ImageLoaded path in ProgramData, and Code Integrity event in Microsoft-Windows-CodeIntegrity/Operational log.
- Test 2Simulate proxy connection from a .sys-named process
Expected signal: Sysmon Event ID 3 (network connection) with Image path ending in .sys, destination ports 1080 and 8080, and non-loopback destination IP.
- Test 3Extract and inspect driver certificate chain for WHQL abuse indicators
Expected signal: Process creation event for sigcheck64.exe with command line referencing the driver path. Output file creation in C:\Temp\.
- Test 4Registry persistence check for kernel driver service entry
Expected signal: Sysmon Event ID 13 (registry value set) for HKLM\SYSTEM\CurrentControlSet\Services\SimProxyDrv\ImagePath with a value pointing to a non-standard driver path, and Windows Security Event ID 4657 (registry value modified) if object access auditing is enabled.
Unlock Pro Content
Get the full detection package for CVE-2024-26234 including response playbook, investigation guide, and atomic red team tests.