Audit CVE Event

calendar Oct 17, 2023 · attack.execution attack.t1203 attack.privilege_escalation attack.t1068 attack.defense_evasion attack.t1211 attack.credential_access attack.t1212 attack.lateral_movement attack.t1210 attack.impact attack.t1499.004  ·
Share on: linkedin copy

Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.

Sigma rule (View on GitHub)

 1title: Audit CVE Event
 2id: 48d91a3a-2363-43ba-a456-ca71ac3da5c2
 3status: test
 4description: |
 5    Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited.
 6    MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability.
 7    Unfortunately, that is about the only instance of CVEs being written to this log.    
 8references:
 9    - https://twitter.com/VM_vivisector/status/1217190929330655232
10    - https://twitter.com/DidierStevens/status/1217533958096924676
11    - https://twitter.com/FlemmingRiis/status/1217147415482060800
12    - https://www.youtube.com/watch?v=ebmW42YYveI # "CVEs in Windows Event Logs? What You Need to Know" by 13Cubed.
13    - https://nullsec.us/windows-event-log-audit-cve/
14author: Florian Roth (Nextron Systems), Zach Mathis
15date: 2020/01/15
16modified: 2022/10/22
17tags:
18    - attack.execution
19    - attack.t1203
20    - attack.privilege_escalation
21    - attack.t1068
22    - attack.defense_evasion
23    - attack.t1211
24    - attack.credential_access
25    - attack.t1212
26    - attack.lateral_movement
27    - attack.t1210
28    - attack.impact
29    - attack.t1499.004
30logsource:
31    product: windows
32    service: application
33detection:
34    selection:
35        Provider_Name:
36            - 'Microsoft-Windows-Audit-CVE'
37            - 'Audit-CVE'
38        EventID: 1
39    condition: selection
40falsepositives:
41    - Unknown
42level: critical

References

  • Something went wrong, but don’t fret — let’s give it another shot.


    Read More

  • Something went wrong, but don’t fret — let’s give it another shot.


    Read More

  • Something went wrong, but don’t fret — let’s give it another shot.


    Read More

  • YouTube

    Share your videos with friends, family, and the world


    Read More

  • Windows Event Log - Audit-CVE

    Update: This event appears for both binaries and websites in build 1809 and 1909, but only for binaries in 1903 (not web). So if you're looking for this event and not finding it, that may be why. I have not confirmed this myself, so if someone else comes across this,


    Read More

Related rules

to-top