Audit CVE Event

calendar Aug 12, 2024 · attack.execution attack.t1203 attack.privilege-escalation attack.t1068 attack.defense-evasion attack.t1211 attack.credential-access attack.t1212 attack.lateral-movement attack.t1210 attack.impact attack.t1499.004  ·
Share on: linkedin copy

Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.

Sigma rule (View on GitHub)

 1title: Audit CVE Event
 2id: 48d91a3a-2363-43ba-a456-ca71ac3da5c2
 3status: test
 4description: |
 5    Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited.
 6    MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability.
 7    Unfortunately, that is about the only instance of CVEs being written to this log.    
 8references:
 9    - https://twitter.com/VM_vivisector/status/1217190929330655232
10    - https://twitter.com/DidierStevens/status/1217533958096924676
11    - https://twitter.com/FlemmingRiis/status/1217147415482060800
12    - https://www.youtube.com/watch?v=ebmW42YYveI # "CVEs in Windows Event Logs? What You Need to Know" by 13Cubed.
13    - https://nullsec.us/windows-event-log-audit-cve/
14author: Florian Roth (Nextron Systems), Zach Mathis
15date: 2020-01-15
16modified: 2022-10-22
17tags:
18    - attack.execution
19    - attack.t1203
20    - attack.privilege-escalation
21    - attack.t1068
22    - attack.defense-evasion
23    - attack.t1211
24    - attack.credential-access
25    - attack.t1212
26    - attack.lateral-movement
27    - attack.t1210
28    - attack.impact
29    - attack.t1499.004
30logsource:
31    product: windows
32    service: application
33detection:
34    selection:
35        Provider_Name:
36            - 'Microsoft-Windows-Audit-CVE'
37            - 'Audit-CVE'
38        EventID: 1
39    condition: selection
40falsepositives:
41    - Unknown
42level: critical

References

Related rules

to-top