Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)

 1[metadata]
 2creation_date = "2020/03/19"
 3integration = ["windows", "system"]
 4maturity = "production"
 5updated_date = "2024/10/28"
 6min_stack_version = "8.14.0"
 7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC)
13certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a
14malicious executable, making it appear the file was from a trusted, legitimate source.
15"""
16index = ["winlogbeat-*", "logs-windows.*", "logs-system.security*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)"
20risk_score = 21
21rule_id = "56557cde-d923-4b88-adee-c61b3f3b5dc3"
22severity = "low"
23tags = [
24    "Domain: Endpoint",
25    "OS: Windows",
26    "Use Case: Threat Detection",
27    "Tactic: Defense Evasion",
28    "Use Case: Vulnerability",
29    "Data Source: System",
30]
31timestamp_override = "event.ingested"
32type = "query"
33
34query = '''
35event.provider:"Microsoft-Windows-Audit-CVE" and message:"[CVE-2020-0601]" and host.os.type:windows
36'''
37
38
39[[rule.threat]]
40framework = "MITRE ATT&CK"
41[[rule.threat.technique]]
42id = "T1553"
43name = "Subvert Trust Controls"
44reference = "https://attack.mitre.org/techniques/T1553/"
45[[rule.threat.technique.subtechnique]]
46id = "T1553.002"
47name = "Code Signing"
48reference = "https://attack.mitre.org/techniques/T1553/002/"
49
50
51
52[rule.threat.tactic]
53id = "TA0005"
54name = "Defense Evasion"
55reference = "https://attack.mitre.org/tactics/TA0005/"