CVE-2022-41120: 
Sysmon vulnerability analysis and mitigation

Microsoft Windows System Monitor (Sysmon) Elevation of Privilege Vulnerability, identified as CVE-2022-41120, was discovered and reported in June 2022. The vulnerability affects Sysmon versions 12.0 through 14.12, specifically targeting the ClipboardChange event functionality that was introduced in version 12.0. The vulnerability was officially disclosed in November 2022 with a CVSS score of 7.8 (Security Online).

The vulnerability exists in the code responsible for the ClipboardChange event that can be accessed through RPC. Local users can send data to the RPC server, which is then written to the C:\Sysmon directory (default ArchiveDirectory) and subsequently deleted. In versions before 14.11, Sysmon failed to verify if the directory was created by a low-privilege user or if it's a junction, which could be exploited to perform arbitrary file delete/write operations in the context of NT AUTHORITY\SYSTEM user (Security Online).

Successful exploitation of this vulnerability allows an authenticated attacker to gain administrator privileges by elevating from local user to SYSTEM admin. The attacker could execute arbitrary code with higher system privileges (Security Online).

Microsoft released Sysmon v14.13 on November 28, 2022, which addresses the vulnerability by ensuring the archive directory has permissions restricted to the system account. For users unable to update to the latest version, a temporary workaround involves creating an ArchiveDirectory (C:\Sysmon by default) and setting permissions to only allow access to the NT AUTHORITY\SYSTEM account (Microsoft QA, Security Online).

Security researchers actively discussed the vulnerability on social media, with researcher Filip Dragovic confirming that even version 14.12 remained vulnerable to the exploit (Microsoft QA).