Emerging Threatmediumexperimental
Potential CVE-2024-35250 Exploitation Activity
Detects potentially suspicious loading of "ksproxy.ax", which may indicate an attempt to exploit CVE-2024-35250.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Emerging Threat
Active Threat
Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.
Log Source
WindowsImage Load (DLL)
ProductWindows← raw: windows
CategoryImage Load (DLL)← raw: image_load
Detection Logic
Detection Logic8 selectors
detection:
selection:
ImageLoaded|endswith: '\ksproxy.ax'
filter_main_system_paths:
Image|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
filter_optional_teams:
Image|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe'
filter_optional_zoom:
Image|endswith: '\AppData\Roaming\Zoom\bin\Zoom.exe'
filter_optional_firefox:
Image|endswith: '\AppData\Local\Mozilla Firefox\firefox.exe'
filter_optional_chrome:
Image|endswith: '\AppData\Local\Google\Chrome\Application\chrome.exe'
filter_optional_opera:
Image|endswith: '\AppData\Local\Programs\Opera\opera.exe'
filter_optional_discord:
Image|endswith: '\AppData\Local\Discord\app-*\Discord.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*False Positives
Legitimate applications that use Windows Stream Interface APIs.
Media applications that use DirectShow filters.
MITRE ATT&CK
Other
cve.2024-35250detection.emerging-threats
Rule Metadata
Rule ID
17ce9373-2163-4a2c-90ba-f91e9ef7a8c1
Status
experimental
Level
medium
Type
Emerging Threat
Created
Wed Feb 19
Author
Path
rules-emerging-threats/2024/Exploits/CVE-2024-35250/image_load_exploit_cve_2024_35250_privilege_escalation.yml
Raw Tags
attack.privilege-escalationattack.t1068cve.2024-35250detection.emerging-threats