IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Whoami Process Activity Windows Network Enumeration »

› › ›

Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)

edit

Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)

edit

A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.

Rule type: query

Rule indices:

winlogbeat-*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Elastic
Host
Windows
Threat Detection
Defense Evasion

Version: 5 (version history)

Added (Elastic Stack release): 7.7.0

Last modified (Elastic Stack release): 7.11.2

Rule authors: Elastic

Rule license: Elastic License

Rule query

edit

event.provider:"Microsoft-Windows-Audit-CVE" and
message:"[CVE-2020-0601]"

Threat mapping

edit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: Subvert Trust Controls
- ID: T1553
- Reference URL: https://attack.mitre.org/techniques/T1553/

Rule version history

edit

Version 5 (7.11.2 release)

Formatting only

Version 4 (7.11.0 release)

Formatting only

Version 3 (7.10.0 release)

Formatting only

Version 2 (7.9.0 release)

Formatting only

« Whoami Process Activity Windows Network Enumeration »