Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)

A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.

Rule type: query

Rule indices:

winlogbeat-*
logs-windows.*
logs-system.security*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: None (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Use Case: Vulnerability
Data Source: System

Version: 207

Rule authors:

Elastic

Rule license: Elastic License v2

Rule query

edit

event.provider:"Microsoft-Windows-Audit-CVE" and message:"[CVE-2020-0601]" and host.os.type:windows

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: Subvert Trust Controls
- ID: T1553
- Reference URL: https://attack.mitre.org/techniques/T1553/
Sub-technique:
- Name: Code Signing
- ID: T1553.002
- Reference URL: https://attack.mitre.org/techniques/T1553/002/

« Windows Account or Group Discovery Windows Defender Disabled via Registry Modification »