Nasreddine Bencherchali
43 lines
1.4 KiB
YAML
43 lines
1.4 KiB
YAML
title: Audit CVE Event
|
|
id: 48d91a3a-2363-43ba-a456-ca71ac3da5c2
|
|
status: experimental
|
|
description: |
|
|
Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited.
|
|
MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability.
|
|
Unfortunately, that is about the only instance of CVEs being written to this log.
|
|
references:
|
|
- https://twitter.com/VM_vivisector/status/1217190929330655232
|
|
- https://twitter.com/DidierStevens/status/1217533958096924676
|
|
- https://twitter.com/FlemmingRiis/status/1217147415482060800
|
|
- https://www.youtube.com/watch?v=ebmW42YYveI # "CVEs in Windows Event Logs? What You Need to Know" by 13Cubed.
|
|
- https://nullsec.us/windows-event-log-audit-cve/
|
|
author: Florian Roth (Nextron Systems), Zach Mathis
|
|
date: 2020/01/15
|
|
modified: 2022/10/22
|
|
tags:
|
|
- attack.execution
|
|
- attack.t1203
|
|
- attack.privilege_escalation
|
|
- attack.t1068
|
|
- attack.defense_evasion
|
|
- attack.t1211
|
|
- attack.credential_access
|
|
- attack.t1212
|
|
- attack.lateral_movement
|
|
- attack.t1210
|
|
- attack.impact
|
|
- attack.t1499.004
|
|
logsource:
|
|
product: windows
|
|
service: application
|
|
detection:
|
|
selection:
|
|
Provider_Name:
|
|
- 'Microsoft-Windows-Audit-CVE'
|
|
- 'Audit-CVE'
|
|
EventID: 1
|
|
condition: selection
|
|
falsepositives:
|
|
- Unknown
|
|
level: critical
|