title: Audit CVE Event
id: 48d91a3a-2363-43ba-a456-ca71ac3da5c2
status: experimental
description: Detects events generated by Windows to indicate the exploitation of a known vulnerability (e.g. CVE-2020-0601)
references:
    - https://twitter.com/mattifestation/status/1217179698008068096
    - https://twitter.com/VM_vivisector/status/1217190929330655232
    - https://twitter.com/davisrichardg/status/1217517547576348673
    - https://twitter.com/DidierStevens/status/1217533958096924676
    - https://twitter.com/FlemmingRiis/status/1217147415482060800
tags:
    - attack.execution
    - attack.t1203
    - attack.privilege_escalation
    - attack.t1068
    - attack.defense_evasion
    - attack.t1211
    - attack.credential_access
    - attack.t1212
    - attack.lateral_movement
    - attack.t1210
    - attack.impact
    - attack.t1499.004
author: Florian Roth
date: 2020/01/15
modified: 2020/08/23
logsource:
    product: windows
    service: application
detection:
    selection:
        Source: 'Microsoft-Windows-Audit-CVE'
    condition: selection
falsepositives:
    - Unknown
level: critical