Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)

 1[metadata]
 2creation_date = "2020/03/19"
 3integration = ["windows"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC)
11certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a
12malicious executable, making it appear the file was from a trusted, legitimate source.
13"""
14index = ["winlogbeat-*", "logs-windows.*", "logs-system.security*"]
15language = "kuery"
16license = "Elastic License v2"
17name = "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)"
18risk_score = 21
19rule_id = "56557cde-d923-4b88-adee-c61b3f3b5dc3"
20severity = "low"
21tags = [
22    "Domain: Endpoint",
23    "OS: Windows",
24    "Use Case: Threat Detection",
25    "Tactic: Defense Evasion",
26    "Use Case: Vulnerability",
27]
28timestamp_override = "event.ingested"
29type = "query"
30
31query = '''
32event.provider:"Microsoft-Windows-Audit-CVE" and message:"[CVE-2020-0601]" and host.os.type:windows
33'''
34
35
36[[rule.threat]]
37framework = "MITRE ATT&CK"
38[[rule.threat.technique]]
39id = "T1553"
40name = "Subvert Trust Controls"
41reference = "https://attack.mitre.org/techniques/T1553/"
42[[rule.threat.technique.subtechnique]]
43id = "T1553.002"
44name = "Code Signing"
45reference = "https://attack.mitre.org/techniques/T1553/002/"
46
47
48
49[rule.threat.tactic]
50id = "TA0005"
51name = "Defense Evasion"
52reference = "https://attack.mitre.org/tactics/TA0005/"