Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall) | Elastic Security Solution [7.9]

The SIEM app is now a part of the Elastic Security solution. Click here to view SIEM documentation for previous releases.

› › ›

« Whoami Process Activity Windows Script Executing PowerShell »

Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)edit

A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.

Rule type: query

Rule indices:

winlogbeat-*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Elastic
Windows

Version: 2 (version history)

Added (Elastic Stack release): 7.7.0

Last modified (Elastic Stack release): 7.9.0

Rule authors: Elastic

Rule license: Elastic License

Rule queryedit

event.provider:"Microsoft-Windows-Audit-CVE" and
message:"[CVE-2020-0601]"

Threat mappingedit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: Code Signing
- ID: T1116
- Reference URL: https://attack.mitre.org/techniques/T1116/

Rule version historyedit

Version 2 (7.9.0 release)

Formatting only

« Whoami Process Activity Windows Script Executing PowerShell »