Exploitation for Priv-Esc × Microsoft Windows AFD.sys driver

A publicly-reported instance of Exploitation for Priv-Esc bypassing Microsoft Windows AFD.sys driver, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows AFD.sys driver

Technique

Exploitation for Priv-Esc

MITRE ATT&CK

T1068

Confidence

High

Severity

Critical

Status

in the wild

Disclosed

2024-08-19

Config / version noted

Not stated

Provenance

securityaffairs.com
disclosed 2024-08-19 · original source · via exa

Reported as

FudModule rootkit then used direct kernel object manipulation (DKOM) to disable security products like Microsoft Defender

Mechanism

Exploitation of a use-after-free or similar bug in AFD.sys driver to escalate privileges to SYSTEM. The FudModule rootkit then used direct kernel object manipulation (DKOM) to disable security products like Microsoft Defender, CrowdStrike Falcon, and HitmanPro by suspending their Protected Process Light (PPL) processes.

Detection & mitigation

Monitor for unexpected SYSTEM-level processes spawned from low-integrity contexts or suspicious AFD.sys interactions (e.g., via Event ID 4688 with anomalous parent/child relationships). Deploy the Microsoft patch for CVE-2024-38193 and enforce kernel-mode driver signing to prevent rootkit installation.

Exploitation for Priv-Esc has also been recorded against

Apple Atlassian Bitdefender Broadcom (Symantec)Comodo Security ConnectWise CrowdStrike Elastic ESET F5 Fortinet Google

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.