CVE 2024 43452 Po C Detection
Query
// CVE-2024-43452 PoC Detection
// As the year begins, we've encountered a second significant Windows exploit. A Proof of Concept (PoC) has been released for CVE-2024-43452, a Windows Registry Elevation of Privilege vulnerability (CVSS 7.5) affecting Windows 11 23H2. This PoC, created by Mateusz Jurczyk from Google Project Zero, was inspired by Gabriel Landau’s research on registry vulnerabilities. (Link available in the comments)
// CVE-2024-43452 PoC: https://project-zero.issues.chromium.org/issues/42451731
//Fellow defenders, I have developed an advanced hunting DefenderXDR KQL to detect the use of this PoC with high accuracy. Deploy it wisely to prevent abuse by red teams and threat actors.
let VulnerableEndpoint =
DeviceTvmSoftwareVulnerabilities
| where CveId == "CVE-2024-43452"
| distinct DeviceName;
let ExeWithLP =
DeviceFileEvents
| where ActionType == @"FileCreated"
| where FileName endswith ".exe"
| invoke FileProfile("SHA1",1000)
| where GlobalPrevalence <= 50
| join kind=leftouter DeviceFileCertificateInfo on SHA1
| where SignatureState == @"Unsigned"
| distinct FileName; // An unsual low prevalence unsigned .exe created
let EPwithCMDRun =
DeviceEvents
| where InitiatingProcessCommandLine has ".exe" and InitiatingProcessCommandLine has ".dat"
| where FileName has_any(ExeWithLP)
| distinct DeviceName; // Command line execution with low prevalence exe and .dat file
DeviceNetworkEvents
| where RemotePort == "445"
| where ActionType == "ConnectionSuccess"
| where DeviceName has_any (EPwithCMDRun) // Successful outbound SMB connection
| where DeviceName has_any (VulnerableEndpoint) // Not Patch - Vulnerable
// MITRE ATT&CKExplanation
This KQL query is designed to detect potential exploitation of a specific Windows vulnerability, CVE-2024-43452, which is a Windows Registry Elevation of Privilege issue. Here's a simplified breakdown of what the query does:
-
Identify Vulnerable Devices: The query first identifies devices that are vulnerable to CVE-2024-43452 by checking if they have this specific vulnerability listed.
-
Detect Unusual Executable Files: It then looks for executable files (.exe) that have been created on these devices. These files are further filtered to find those with low global prevalence (suggesting they are not commonly seen) and that are unsigned, which can be suspicious.
-
Monitor Command Line Activity: The query checks for command line executions that involve these unusual executable files along with a .dat file, which could indicate an attempt to exploit the vulnerability.
-
Track Network Connections: Finally, it monitors for successful outbound network connections over SMB (port 445) from devices that have run these suspicious executables and are known to be vulnerable.
The goal of this query is to help security teams detect and prevent potential abuse of the CVE-2024-43452 vulnerability by identifying suspicious activities that align with the characteristics of a Proof of Concept (PoC) exploit.
Details

Steven Lim
Released: January 9, 2025
Tables
Keywords
Operators