Microsoft-Windows-Audit-CVE

2 events across 2 channels

Event ID	Title	Channel
1	Possible detection of CVE: PossibleDetectionOfCVE.	Application
2	Possible detection of CVE: CVEID.	System

Event ID 1 — Possible detection of CVE: PossibleDetectionOfCVE.

Provider: Microsoft-Windows-Audit-CVE
Channel: Application
Level: Warning
Opcode: Info

Description

Possible detection of CVE: PossibleDetectionOfCVE.

Message #

Possible detection of CVE: %1
Additional Information: %2

This Event is generated when an attempt to exploit a known vulnerability (%1) is detected.
This Event is raised by a User mode process.

Fields #

Name	Description
`PossibleDetectionOfCVE`	—
`Additional_Information`	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Audit-CVE",
    "guid": "85A62A0D-7E17-485F-9D4F-749A287193A6",
    "event_source_name": "",
    "event_id": 1,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2020-01-18T18:14:29.831868Z",
    "event_record_id": 19156,
    "correlation": {},
    "execution": {
      "process_id": 23004,
      "thread_id": 22388
    },
    "channel": "Application",
    "computer": "Isaac",
    "security": {
      "user_id": "S-1-5-21-955638165-4017457581-270078328-1001"
    }
  },
  "event_data": {
    "CVEID": "[CVE-2020-0601] cert validation",
    "AdditionalDetails": "CA: <USERTrust ECC Certification Authority> sha1: C01B8463C8619676BA102EEBF0C30CDCED9A942B para: 06052B81040022 otherPara: 30820157020101303C06072A8648CE3D0101023100FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFF307B0430FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFC0430B3312FA7E23EE7E4988E056BE3F82D19181D9C6EFE8141120314088F5013875AC656398D8A2ED19D2A85C8EDD3EC2AEF031500A335926AA319A27A1D00896A6773A4827ACDAC73046104D6EB7932E25502AE5151A3609384C13041904BE25B912B77FE4333C0B1486FB0CD815522FF79F8E85A9045E8DFDA490E706BD2FC38276D0A998962A1DFA1E0361AE82AEFC24BDECD9BD856CDC2FDADB54DEEFF6ACDFC0B2BF5ABEBB21C5705D4023100FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973020101"
  }
}

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

Audit CVE Event source critical: Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.

References #

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 2 — Possible detection of CVE: CVEID.

Provider: Microsoft-Windows-Audit-CVE
Channel: System
Opcode: Info

Description

Possible detection of CVE: CVEID.

Message #

Possible detection of CVE: %1
Additional Information: %2

This Event is generated when an attempt to exploit a known vulnerability (%1) is detected.
This Event is raised by a kernel mode driver.

Fields #

Name	Description
`CVEID` UnicodeString	—
`AdditionalDetails` UnicodeString	—