Detecting Zero Day CVE 2025 21333 Privilege Escalation
Query
// Detecting Zero-Day CVE-2025-21333 Privilege Escalation
// https://securityonline.info/windows-hyper-v-zero-day-cve-2025-21333-poc-drops-system-access-exposed/
// https://github.com/MrAle98/CVE-2025-21333-POC
let QueryPeriod = 30d;
let DetectionPeriod = 1h;
let HyperVEnabledEndpoint =
DeviceProcessEvents
| where Timestamp > ago(QueryPeriod)
| where FileName == "WindowsSandboxServer.exe"
| distinct DeviceId;
let VulnerableEndpoint =
DeviceTvmSoftwareVulnerabilities
| where CveId == "CVE-2025-21333"
| distinct DeviceId;
let NewExePOCCreation =
DeviceFileEvents
| where Timestamp > ago(DetectionPeriod)
| where ActionType == "FileCreated"
| where FileName endswith ".exe"
| distinct FileName;
DeviceEvents
| where Timestamp > ago(DetectionPeriod)
| where ActionType == "ProcessPrimaryTokenModified"
| where FileName has_any(NewExePOCCreation)
| where DeviceId has_any(HyperVEnabledEndpoint) and DeviceId has_any(VulnerableEndpoint)Explanation
This query is designed to detect potential exploitation of a zero-day vulnerability, specifically CVE-2025-21333, which involves privilege escalation in Windows Hyper-V environments. Here's a simplified breakdown of what the query does:
-
Query Period and Detection Period:
- It looks at data from the past 30 days (
QueryPeriod) and focuses on events from the last hour (DetectionPeriod).
- It looks at data from the past 30 days (
-
Identify Hyper-V Enabled Endpoints:
- It checks for devices that have run the "WindowsSandboxServer.exe" process in the last 30 days, indicating that Hyper-V is enabled on these endpoints.
-
Identify Vulnerable Endpoints:
- It identifies devices that have the specific vulnerability CVE-2025-21333.
-
Detect New Executable Files:
- It looks for any new executable files (ending with ".exe") created in the last hour.
-
Detect Privilege Escalation Attempts:
- It searches for events where a process's primary token was modified (a sign of potential privilege escalation) in the last hour.
- It cross-references these events to ensure they involve the newly created executables and occur on devices that are both Hyper-V enabled and vulnerable to CVE-2025-21333. In summary, this query is a security measure to detect suspicious activities that might indicate an attempt to exploit a specific vulnerability in a Hyper-V environment, focusing on new executable files and privilege escalation attempts.
Details

Steven Lim
Released: March 6, 2025
Tables
DeviceProcessEventsDeviceTvmSoftwareVulnerabilitiesDeviceFileEventsDeviceEvents
Keywords
DeviceProcessEventsTvmSoftwareVulnerabilitiesFile
Operators
letagodistinctendswithhas_anywhere