Elevation of Privilege in Sysmon


Sysmon, part of the extremely useful SysInternals from Microsoft, is a popular system monitor (or Sysmon) that monitors and logs system activity in the Windows event log. That's why many, especially security experts, like to use it to collect useful data that they then pass through SIEM, where they have a handful of options for analysis.

Infigo IS' security expert, Filip Dragovic, found a vulnerability in this tool that often runs on the most important machines within the organization, which allows a local attacker to escalate privileges - by using the vulnerability, a local authenticated user can gain administrator privileges.
The vulnerability received a CVSS (Common Vulnerability Scoring System) severity rating of 7.8 / 6.8 (CVSS measures severity, not risk) and the official CVE-2022-41120. You can read more about the vulnerability on the official Microsoft Security Response Center entry.