detection.wiki
Blog

Microsoft-Windows-Audit-CVE

2 events across 2 channels

Event IDTitleChannel
1Possible detection of CVE: %1 Additional Information: %2 This Event is generated …Application
2Possible detection of CVE: %1 Additional Information: %2 This Event is generated …System

Event ID 1 — Possible detection of CVE: %1 Additional Information: %2 This Event is generated when an attempt to exploit a known vulnerability (%1) is detected.

Provider
Microsoft-Windows-Audit-CVE
Channel
Application
Level
3
Samples
1

Message

Possible detection of CVE: %1
Additional Information: %2

This Event is generated when an attempt to exploit a known vulnerability (%1) is detected.
This Event is raised by a User mode process.

Fields

NameDescription
PossibleDetectionOfCVE
Additional_Information

Example Event

system:
  provider: Microsoft-Windows-Audit-CVE
  guid: 85A62A0D-7E17-485F-9D4F-749A287193A6
  event_source_name: ''
  event_id: 1
  version: 0
  level: 3
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2020-01-18T18:14:29.831868Z'
  event_record_id: 19156
  correlation: {}
  execution:
    process_id: 23004
    thread_id: 22388
  channel: Application
  computer: Isaac
  security:
    user_id: S-1-5-21-955638165-4017457581-270078328-1001
event_data:
  CVEID: '[CVE-2020-0601] cert validation'
  AdditionalDetails: 'CA: <USERTrust ECC Certification Authority> sha1: C01B8463C8619676BA102EEBF0C30CDCED9A942B
    para: 06052B81040022 otherPara: 30820157020101303C06072A8648CE3D0101023100FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFF307B0430FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFC0430B3312FA7E23EE7E4988E056BE3F82D19181D9C6EFE8141120314088F5013875AC656398D8A2ED19D2A85C8EDD3EC2AEF031500A335926AA319A27A1D00896A6773A4827ACDAC73046104D6EB7932E25502AE5151A3609384C13041904BE25B912B77FE4333C0B1486FB0CD815522FF79F8E85A9045E8DFDA490E706BD2FC38276D0A998962A1DFA1E0361AE82AEFC24BDECD9BD856CDC2FDADB54DEEFF6ACDFC0B2BF5ABEBB21C5705D4023100FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973020101'

Sigma Rules

  • Audit CVE Event
    Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.

References

Event ID 2 — Possible detection of CVE: %1 Additional Information: %2 This Event is generated when an attempt to exploit a known vulnerability (%1) is detected.

Provider
Microsoft-Windows-Audit-CVE
Channel
System

Message

Possible detection of CVE: %1
Additional Information: %2

This Event is generated when an attempt to exploit a known vulnerability (%1) is detected.
This Event is raised by a kernel mode driver.

Fields

NameDescription
CVEID
AdditionalDetails