Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)

 1[metadata]
 2creation_date = "2020/03/19"
 3integration = ["windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2024/03/08"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC)
13certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a
14malicious executable, making it appear the file was from a trusted, legitimate source.
15"""
16index = ["winlogbeat-*", "logs-windows.*", "logs-system.security*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)"
20risk_score = 21
21rule_id = "56557cde-d923-4b88-adee-c61b3f3b5dc3"
22severity = "low"
23tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Use Case: Vulnerability"]
24timestamp_override = "event.ingested"
25type = "query"
26
27query = '''
28event.provider:"Microsoft-Windows-Audit-CVE" and message:"[CVE-2020-0601]" and host.os.type:windows
29'''
30
31
32[[rule.threat]]
33framework = "MITRE ATT&CK"
34[[rule.threat.technique]]
35id = "T1553"
36name = "Subvert Trust Controls"
37reference = "https://attack.mitre.org/techniques/T1553/"
38[[rule.threat.technique.subtechnique]]
39id = "T1553.002"
40name = "Code Signing"
41reference = "https://attack.mitre.org/techniques/T1553/002/"
42
43
44
45[rule.threat.tactic]
46id = "TA0005"
47name = "Defense Evasion"
48reference = "https://attack.mitre.org/tactics/TA0005/"