Detection rules › Sigma
Audit CVE Event
Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1203 Exploitation for Client Execution |
| Privilege Escalation | T1068 Exploitation for Privilege Escalation |
| Defense Evasion | T1211 Exploitation for Defense Evasion |
| Credential Access | T1212 Exploitation for Credential Access |
| Lateral Movement | T1210 Exploitation of Remote Services |
| Impact | T1499.004 Endpoint Denial of Service: Application or System Exploitation |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Audit-CVE | 1 | Possible detection of CVE: PossibleDetectionOfCVE. |
Stages and Predicates
Stage 1: selection
Provider_Name: [Audit-CVE, Microsoft-Windows-Audit-CVE]
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Provider_Name | eq |
|