Detectioncriticaltest

Audit CVE Event

Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Florian Roth (Nextron Systems), Zach MathisCreated Wed Jan 15Updated Sat Oct 2248d91a3a-2363-43ba-a456-ca71ac3da5c2windows

Log Source

Windowsapplication

ProductWindows← raw: windows

Serviceapplication← raw: application

Detection Logic

detection:
    selection:
        Provider_Name:
            - 'Microsoft-Windows-Audit-CVE'
            - 'Audit-CVE'
        EventID: 1
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0002 · Execution TA0004 · Privilege Escalation TA0005 · Defense Evasion TA0006 · Credential Access TA0008 · Lateral Movement TA0040 · Impact

Techniques

T1203 · Exploitation for Client Execution T1068 · Exploitation for Privilege Escalation T1211 · Exploitation for Defense Evasion T1212 · Exploitation for Credential Access T1210 · Exploitation of Remote Services

Sub-techniques

T1499.004 · Application or System Exploitation

Rule Metadata

Rule ID

48d91a3a-2363-43ba-a456-ca71ac3da5c2

Status

test

Level

critical

Type

Detection

Created

Wed Jan 15

Modified

Sat Oct 22

Author

Florian Roth (Nextron Systems), Zach Mathis

Path

rules/windows/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml

Raw Tags

attack.executionattack.t1203attack.privilege-escalationattack.t1068attack.defense-evasionattack.t1211attack.credential-accessattack.t1212attack.lateral-movementattack.t1210attack.impactattack.t1499.004

View on GitHub