SigmaHQ/rules/windows/builtin/win_audit_cve.yml

38 lines
1.1 KiB
YAML
Raw Normal View History

2020-01-15 20:23:32 +00:00
title: Audit CVE Event
id: 48d91a3a-2363-43ba-a456-ca71ac3da5c2
status: experimental
description: Detects events generated by Windows to indicate the exploitation of a known vulnerability (e.g. CVE-2020-0601)
references:
2020-01-15 20:27:40 +00:00
- https://twitter.com/mattifestation/status/1217179698008068096
2020-01-15 20:23:32 +00:00
- https://twitter.com/VM_vivisector/status/1217190929330655232
- https://twitter.com/davisrichardg/status/1217517547576348673
- https://twitter.com/DidierStevens/status/1217533958096924676
- https://twitter.com/FlemmingRiis/status/1217147415482060800
tags:
- attack.execution
- attack.t1203
- attack.privilege_escalation
- attack.t1068
- attack.defense_evasion
- attack.t1211
- attack.credential_access
- attack.t1212
- attack.lateral_movement
- attack.t1210
- attack.impact
- attack.t1499.004
2020-01-15 20:23:32 +00:00
author: Florian Roth
date: 2020/01/15
modified: 2020/08/23
2020-01-15 20:23:32 +00:00
logsource:
product: windows
service: application
detection:
selection:
Source: 'Microsoft-Windows-Audit-CVE'
condition: selection
falsepositives:
- Unknown
level: critical