CVE-2025-62215 Microsoft Windows Race Condition Exploitation

let timeWindow = 5m;
SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID in (4688, 4689, 4656, 4663, 4670)
| where ProcessName has_any ("svchost.exe", "lsass.exe", "winlogon.exe", "services.exe")
    or (EventID == 4688 and ParentProcessName has_any ("svchost.exe", "services.exe") and NewProcessName !has_any ("conhost.exe", "WerFault.exe"))
| join kind=inner (
    SecurityEvent
    | where TimeGenerated > ago(24h)
    | where EventID == 4672
    | project AccountName, Computer, PrivilegeList, TimeGenerated
) on AccountName, Computer
| where PrivilegeList has_any ("SeDebugPrivilege", "SeTcbPrivilege", "SeCreateTokenPrivilege")
| summarize EventCount = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), UniqueEventIDs = make_set(EventID) by AccountName, Computer, ProcessName
| where EventCount > 3
| extend TimeDeltaSeconds = datetime_diff('second', LastSeen, FirstSeen)
| where TimeDeltaSeconds < 30
| extend RiskScore = case(EventCount > 10, "High", EventCount > 5, "Medium", "Low")
| project-reorder FirstSeen, LastSeen, Computer, AccountName, ProcessName, EventCount, TimeDeltaSeconds, RiskScore, UniqueEventIDs

index=wineventlog sourcetype=WinEventLog:Security EventCode IN (4688, 4689, 4656, 4663, 4670, 4672)
| eval is_sensitive_proc=if(match(Process_Name, "(?i)(svchost|lsass|winlogon|services|wininit)\.exe"), 1, 0)
| eval has_dangerous_priv=if(match(Privilege_List, "SeDebugPrivilege|SeTcbPrivilege|SeCreateTokenPrivilege"), 1, 0)
| eval event_ts=strptime(_time, "%s")
| sort 0 Account_Name, Computer, _time
| streamstats window=20 count AS burst_count, range(_time) AS time_range_sec by Account_Name, Computer
| where burst_count > 5 AND time_range_sec < 30
| where is_sensitive_proc=1 OR has_dangerous_priv=1
| stats count AS total_events, 
        values(EventCode) AS event_codes, 
        values(Process_Name) AS processes, 
        values(Privilege_List) AS privileges, 
        min(_time) AS first_seen, 
        max(_time) AS last_seen, 
        max(burst_count) AS max_burst 
  by Account_Name, Computer
| eval duration_sec=last_seen - first_seen
| where max_burst > 5 AND duration_sec < 60
| eval severity=case(max_burst > 15, "critical", max_burst > 8, "high", "medium")
| table first_seen, last_seen, Computer, Account_Name, processes, event_codes, privileges, max_burst, duration_sec, severity
| sort - max_burst

sequence by host.name, user.name with maxspan=30s
  [process where event.action == "start" and
   process.parent.name : ("svchost.exe", "services.exe", "wininit.exe") and
   not process.name : ("conhost.exe", "WerFault.exe", "svchost.exe")]
  [any where event.category == "file" and
   event.action in ("open", "creation") and
   file.path : ("C:\\Windows\\System32\\*", "C:\\Windows\\SysWOW64\\*")]
  [process where event.action == "start" and
   process.token.integrity_level_name in ("high", "system") and
   not process.parent.token.integrity_level_name in ("high", "system")]

SELECT 
  DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') AS first_seen,
  DATEFORMAT(MAX(starttime), 'YYYY-MM-dd HH:mm:ss') AS last_seen,
  sourceip,
  username,
  QIDNAME(qid) AS event_name,
  COUNT(*) AS event_count,
  TIMESTAMPDIFF(SECOND, MIN(starttime), MAX(starttime)) AS duration_seconds
FROM events
WHERE
  LOGSOURCETYPENAME(logsourceid) = 'Microsoft Windows Security Event Log'
  AND eventid IN (4688, 4689, 4656, 4663, 4670, 4672)
  AND (
    LOWER("Process Name") LIKE '%svchost.exe%'
    OR LOWER("Process Name") LIKE '%lsass.exe%'
    OR LOWER("Process Name") LIKE '%winlogon.exe%'
    OR LOWER("Privilege List") LIKE '%sebugprivilege%'
    OR LOWER("Privilege List") LIKE '%setcbprivilege%'
  )
  AND starttime > NOW() - 86400000
GROUP BY sourceip, username
HAVING event_count > 5
  AND duration_seconds < 60
ORDER BY event_count DESC
LAST 24 HOURS

_sourceCategory=Windows/Security
| parse regex "EventCode=(?P<event_code>\d+)"
| parse regex "Account Name:\s+(?P<account_name>[^\r\n]+)" nodrop
| parse regex "Process Name:\s+(?P<process_name>[^\r\n]+)" nodrop
| parse regex "Privilege List:\s+(?P<privilege_list>[^\r\n]+)" nodrop
| where event_code in ("4688", "4689", "4656", "4663", "4670", "4672")
| where process_name matches "*svchost.exe*" or process_name matches "*lsass.exe*"
    or process_name matches "*winlogon.exe*" or process_name matches "*services.exe*"
    or privilege_list matches "*SeDebugPrivilege*" or privilege_list matches "*SeTcbPrivilege*"
    or privilege_list matches "*SeCreateTokenPrivilege*"
| timeslice 10s
| count by _timeslice, account_name, _sourceHost
| where _count > 3
| sort by _count desc
| fields _timeslice, account_name, _sourceHost, _count

rule cve_2025_62215_windows_race_condition {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects race condition exploitation attempts targeting CVE-2025-62215 in Microsoft Windows"
    severity = "HIGH"
    priority = "HIGH"
    yara_version = "YL2.0"
    rule_version = "1.0"
    reference = "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-62215"
    cve = "CVE-2025-62215"

  events:
    $event1.metadata.event_type = "PROCESS_LAUNCH"
    $event1.principal.hostname = $hostname
    $event1.principal.user.userid = $user
    $event1.target.process.file.full_path = /(?i)(svchost|lsass|winlogon|services)\.exe$/

    $event2.metadata.event_type = "USER_RESOURCE_ACCESS"
    $event2.principal.hostname = $hostname
    $event2.principal.user.userid = $user
    $event2.security_result.category = "SOFTWARE_SUSPICIOUS"

    $event3.metadata.event_type = "USER_PRIVILEGE_ESCALATION"
    $event3.principal.hostname = $hostname
    $event3.principal.user.userid = $user

  match:
    $hostname, $user over 30s

  condition:
    $event1 and $event2 and $event3
}

event_simpleName IN ("ProcessRollup2", "CreateRemoteThreadV2", "HandleDuplicated", "PrivilegeEscalationDetected")
| where ImageFileName matches "(?i)(svchost|lsass|winlogon|services|wininit)\.exe"
    OR ParentBaseFileName matches "(?i)(svchost|services)\.exe"
    AND NOT ImageFileName matches "(?i)(conhost|WerFault|MpCmdRun)\.exe"
| eval event_ts = _time
| stats 
    count() AS burst_count, 
    dc(event_simpleName) AS unique_event_types,
    values(event_simpleName) AS event_types,
    values(ImageFileName) AS images,
    min(_time) AS first_seen,
    max(_time) AS last_seen 
  by aid, UserName
| eval duration_sec = last_seen - first_seen
| where burst_count > 4 AND duration_sec < 45 AND unique_event_types >= 2
| eval risk_level = case(burst_count > 15 AND unique_event_types >= 3, "critical", burst_count > 8, "high", "medium")
| sort - burst_count
| fields first_seen, last_seen, aid, UserName, images, event_types, burst_count, duration_sec, risk_level