Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)
A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/03/19"
3integration = ["windows"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/03/08"
8
9[rule]
10author = ["Elastic"]
11description = """
12A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC)
13certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a
14malicious executable, making it appear the file was from a trusted, legitimate source.
15"""
16index = ["winlogbeat-*", "logs-windows.*", "logs-system.security*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)"
20risk_score = 21
21rule_id = "56557cde-d923-4b88-adee-c61b3f3b5dc3"
22severity = "low"
23tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Use Case: Vulnerability"]
24timestamp_override = "event.ingested"
25type = "query"
26
27query = '''
28event.provider:"Microsoft-Windows-Audit-CVE" and message:"[CVE-2020-0601]" and host.os.type:windows
29'''
30
31
32[[rule.threat]]
33framework = "MITRE ATT&CK"
34[[rule.threat.technique]]
35id = "T1553"
36name = "Subvert Trust Controls"
37reference = "https://attack.mitre.org/techniques/T1553/"
38[[rule.threat.technique.subtechnique]]
39id = "T1553.002"
40name = "Code Signing"
41reference = "https://attack.mitre.org/techniques/T1553/002/"
42
43
44
45[rule.threat.tactic]
46id = "TA0005"
47name = "Defense Evasion"
48reference = "https://attack.mitre.org/tactics/TA0005/"
Related rules
- File Creation Time Changed
- MS Office Macro Security Registry Modifications
- Potential Antimalware Scan Interface Bypass via PowerShell
- Potential Credential Access via Renamed COM+ Services DLL
- Potential Process Injection via PowerShell