https://community.splunk.com/t5/Getting-Data-In/MS-Crypto-API-Vuln-CVE-2020-0601-Any-example-logs/m-p/483460#M82829 <P><A href="https://www.splunk.com/en_us/blog/public-sector/leveraging-splunk-for-a-critically-important-patch-tuesday.html">https://www.splunk.com/en_us/blog/public-sector/leveraging-splunk-for-a-critically-important-patch-tuesday.html</A></P> Thu, 16 Jan 2020 16:09:27 GMT Azeemering 2020-01-16T16:09:27Z https://community.splunk.com/t5/Getting-Data-In/MS-Crypto-API-Vuln-CVE-2020-0601-Any-example-logs/m-p/483456#M82825 <P>Hello Splunkers!</P> <P><STRONG>TL;DR</STRONG> - Has anyone seen an example log generated by the fix for the 2020-January Critical MS Windows CryptoAPI Vuln? <EM>(CVE-2020-0601)</EM></P> <P>Does anyone know what the exact event event looks like? The technet article: <A href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601/">https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601/</A> references the following:</P> <UL> <LI>Event Log: Windows Logs/Application</LI> <LI>Event Source: Audit-CVE </LI> <LI>Event ID 1</LI> </UL> <P>Event ID 1 seems to be a common dumping ground, and I've never seen any logs from that SourceName (Assuming that's the field to key on) </P> <P>I'll (for now) run scheduled searches for the following, but have a feeling the data presents differently. </P> <P><EM>sourcetype=wineventlog:application SourceName=Audit-CVE</EM></P> <P>Any ideas/thoughts/suggestions?</P> Wed, 15 Jan 2020 15:35:52 GMT https://community.splunk.com/t5/Getting-Data-In/MS-Crypto-API-Vuln-CVE-2020-0601-Any-example-logs/m-p/483456#M82825 dsctm3 2020-01-15T15:35:52Z https://community.splunk.com/t5/Getting-Data-In/MS-Crypto-API-Vuln-CVE-2020-0601-Any-example-logs/m-p/483457#M82826 <P>One of the handlers at the Internet Storm Center (SANS entity) put together a VBA solution that populates the event log with a replica of these events.</P> <P>Take a look at <A href="https://blog.didierstevens.com/2020/01/15/using-cveeventwrite-from-vba-cve-2020-0601/">https://blog.didierstevens.com/2020/01/15/using-cveeventwrite-from-vba-cve-2020-0601/</A> for more info.</P> <P>Hope that helps!<BR /> rmmiller</P> Wed, 15 Jan 2020 22:12:08 GMT https://community.splunk.com/t5/Getting-Data-In/MS-Crypto-API-Vuln-CVE-2020-0601-Any-example-logs/m-p/483457#M82826 rmmiller 2020-01-15T22:12:08Z https://community.splunk.com/t5/Getting-Data-In/MS-Crypto-API-Vuln-CVE-2020-0601-Any-example-logs/m-p/483458#M82827 <P>This is exactly what I was looking for. Many thanks @rmmiller !</P> Wed, 15 Jan 2020 22:55:04 GMT https://community.splunk.com/t5/Getting-Data-In/MS-Crypto-API-Vuln-CVE-2020-0601-Any-example-logs/m-p/483458#M82827 dsctm3 2020-01-15T22:55:04Z https://community.splunk.com/t5/Getting-Data-In/MS-Crypto-API-Vuln-CVE-2020-0601-Any-example-logs/m-p/483459#M82828 <P>Glad I could help! We're all in this mess together! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 15 Jan 2020 23:42:42 GMT https://community.splunk.com/t5/Getting-Data-In/MS-Crypto-API-Vuln-CVE-2020-0601-Any-example-logs/m-p/483459#M82828 rmmiller 2020-01-15T23:42:42Z https://community.splunk.com/t5/Getting-Data-In/MS-Crypto-API-Vuln-CVE-2020-0601-Any-example-logs/m-p/483460#M82829 <P><A href="https://www.splunk.com/en_us/blog/public-sector/leveraging-splunk-for-a-critically-important-patch-tuesday.html">https://www.splunk.com/en_us/blog/public-sector/leveraging-splunk-for-a-critically-important-patch-tuesday.html</A></P> Thu, 16 Jan 2020 16:09:27 GMT https://community.splunk.com/t5/Getting-Data-In/MS-Crypto-API-Vuln-CVE-2020-0601-Any-example-logs/m-p/483460#M82829 Azeemering 2020-01-16T16:09:27Z