Background
Windows Error Reporting (WER) is the service that sends crash reports to Microsoft. When an application crashes, WER collects diagnostic information and (with user permission or in enterprise configurations, silently) sends it to Microsoft. Because crash reporting involves interacting with arbitrary processes, dump files, and file system operations across privilege boundaries, it’s historically been a source of privilege escalation vulnerabilities.
CVE-2024-26169 was patched by Microsoft in March 2024. Symantec researchers identified it being exploited by a financially motivated threat actor deploying ransomware — specifically, they found an exploit binary that had been compiled before the patch was available, suggesting it was used as a zero-day. The vulnerability was used to elevate from a regular user account to SYSTEM before deploying ransomware.
Technical Mechanism
The Windows Error Reporting service runs as SYSTEM. When WER processes crash data for user-mode applications, it needs to write crash dump files and log entries to various locations. The vulnerability is in how WER handles file operations — specifically, it creates or operates on files in a way that can be hijacked by a low-privilege attacker.
The exploit technique is likely a symlink or junction attack on a predictable file path:
- The WER service creates or modifies a file at a predictable, attacker-writable path
- Before WER creates the file, the attacker creates a symlink or directory junction at that path pointing to a sensitive system file (e.g., a Windows system DLL or a registry hive backup)
- When WER follows the path, it writes to the attacker’s redirect target instead
- By redirecting WER’s file write to a system binary location, the attacker writes a malicious DLL or executable
- When Windows loads the modified file (either by triggering an application crash, or waiting for a service restart), code execution occurs as SYSTEM
This class of attack — TOCTOU (time-of-check-time-of-use) or symlink attacks on system services — is well-understood and has been the basis of many Windows LPE exploits.
Real-World Exploitation Evidence
Symantec’s Threat Hunter Team published research identifying exploitation:
- Pre-patch compilation — the exploit binary they found had a compilation timestamp predating the March 2024 patch, consistent with zero-day exploitation
- Ransomware precursor — the exploit was used in a chain leading to ransomware deployment (suspected to be related to a group aligned with Black Basta ransomware based on TTPs, though not definitively attributed in Symantec’s published analysis)
- Targeted deployment — the exploitation was targeted rather than widespread at the time of discovery
The use of WER exploitation for ransomware LPE shows that financially motivated actors invest in kernel/system-level exploit capabilities, not just nation-state actors.
Impact Assessment
- SYSTEM privilege escalation from any user code execution
- Security tool bypass — SYSTEM enables disabling AV/EDR software
- Full ransomware deployment — SYSTEM is required for encrypting all files including those protected by user-level permissions
- Credential dumping — LSASS and SAM accessible at SYSTEM
- Domain escalation — SYSTEM on domain-joined machine enables further AD attacks
Affected Versions
| Product | Affected Versions | Fixed Version |
|---|---|---|
| Windows 10 (21H2, 22H2) | Before March 2024 patches | KB5035845 |
| Windows 11 (21H2, 22H2, 23H2) | Before March 2024 patches | KB5035854, KB5035853 |
| Windows Server 2019 | Before March 2024 patches | KB5035849 |
| Windows Server 2022 | Before March 2024 patches | KB5035857 |
Remediation Steps
- Apply March 2024 Patch Tuesday updates
- If ransomware-related activity is suspected alongside this vulnerability:
- Check for Black Basta or similar ransomware IOCs
- Review recently created administrator accounts
- Check for Cobalt Strike or similar post-exploitation framework presence
- Enable Windows Defender Exploit Protection (EMET successor):
# Enable Exploit Protection Set-ProcessMitigation -System -Enable CFG, SEHOP - Consider disabling WER if not required by policy (though this loses crash telemetry):
reg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v Disabled /t REG_DWORD /d 1 - Monitor for symlink and junction attacks on WER directories
Detection Guidance
Windows Event Logs:
- Event ID 4688: Unexpected process creation from WER service parent
- Audit Object Access: file access events on WER-related paths (requires object access auditing enabled)
File system monitoring — watch for junction point or symlink creation in WER data directories:
C:\ProgramData\Microsoft\Windows\WER\C:\Users\<user>\AppData\Local\Microsoft\Windows\WER\
SIEM rule:
event_id = 4688 AND
parent_process_name = "wermgr.exe" AND
NOT process_name IN ("WerFault.exe", "WerFaultSecure.exe")Process monitoring — wermgr.exe spawning cmd.exe, powershell.exe, or other shells is a strong indicator of exploitation.
Suricata signature (for ransomware C2 following exploitation):
alert tls $HOME_NET any -> any any (msg:"Possible Black Basta C2 After WER LPE - CVE-2024-26169"; flow:established,to_server; tls.sni; pcre:"/^[a-z0-9]{10,20}\.(xyz|top|live|site)$/"; classtype:trojan-activity; sid:2034029; rev:1;)Timeline
| Date | Event |
|---|---|
| 2024 (before March) | CVE-2024-26169 exploited as zero-day by ransomware threat actor |
| 12 March 2024 | Microsoft patches CVE-2024-26169 in March Patch Tuesday |
| March 2024 | CISA adds to Known Exploited Vulnerabilities catalogue |
| May 2024 | Symantec publishes analysis identifying pre-patch compilation of exploit |