Detecting Zero-Day CVE-2025-21333 Privilege Escalation.kql

SlimKQL · Mar 6, 2025 · cdab5e5 · cdab5e5
1 parent a90f711
commit cdab5e5
Showing 1 changed file with 28 additions and 0 deletions.
diff --git a/DefenderXDR/Detecting Zero-Day CVE-2025-21333 Privilege Escalation.kql b/DefenderXDR/Detecting Zero-Day CVE-2025-21333 Privilege Escalation.kql
@@ -0,0 +1,28 @@
+// Detecting Zero-Day CVE-2025-21333 Privilege Escalation
+
+// https://securityonline.info/windows-hyper-v-zero-day-cve-2025-21333-poc-drops-system-access-exposed/
+// https://github.com/MrAle98/CVE-2025-21333-POC
+
+let QueryPeriod = 30d;
+let DetectionPeriod = 1h;
+let HyperVEnabledEndpoint =
+DeviceProcessEvents
+| where Timestamp > ago(QueryPeriod)
+| where FileName == "WindowsSandboxServer.exe"
+| distinct DeviceId;
+let VulnerableEndpoint =
+DeviceTvmSoftwareVulnerabilities
+| where CveId == "CVE-2025-21333"
+| distinct DeviceId;
+let NewExePOCCreation =
+DeviceFileEvents
+| where Timestamp > ago(DetectionPeriod)
+| where ActionType == "FileCreated"
+| where FileName endswith ".exe"
+| distinct FileName;
+DeviceEvents
+| where Timestamp > ago(DetectionPeriod)
+| where ActionType == "ProcessPrimaryTokenModified"
+| where FileName has_any(NewExePOCCreation)
+| where DeviceId has_any(HyperVEnabledEndpoint) and DeviceId has_any(VulnerableEndpoint)
+