Exploitation for Priv-Esc × CrowdStrike Falcon

A publicly-reported instance of Exploitation for Priv-Esc bypassing CrowdStrike Falcon, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

CrowdStrike Falcon

Technique

Exploitation for Priv-Esc

MITRE ATT&CK

T1068

Confidence

High

Severity

Critical

Status

in the wild

Disclosed

2024-08-19

Config / version noted

Not stated

Provenance

securityaffairs.com
disclosed 2024-08-19 · original source · via exa

Reported as

FudModule rootkit then used direct kernel object manipulation (DKOM) to disable security products like CrowdStrike Falcon

Mechanism

Exploitation of a use-after-free or similar bug in AFD.sys driver to escalate privileges to SYSTEM. The FudModule rootkit then used direct kernel object manipulation (DKOM) to disable security products like Microsoft Defender, CrowdStrike Falcon, and HitmanPro by suspending their Protected Process Light (PPL) processes.

Detection & mitigation

Monitor for unexpected SYSTEM-level processes spawned from low-integrity contexts or suspicious AFD.sys interactions (e.g., via Event ID 4688 with anomalous parent/child relationships). Deploy the Microsoft patch for CVE-2024-38193 and enforce kernel-mode driver signing to prevent rootkit installation.

Exploitation for Priv-Esc has also been recorded against

Apple Atlassian Bitdefender Broadcom (Symantec)Comodo Security ConnectWise Elastic ESET F5 Fortinet Google HitmanPro

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.