Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

MS Crypto API Vuln - CVE-2020-0601 - Any example logs?

dsctm3
Path Finder
‎01-15-2020 07:35 AM

Hello Splunkers!

TL;DR - Has anyone seen an example log generated by the fix for the 2020-January Critical MS Windows CryptoAPI Vuln? (CVE-2020-0601)

Does anyone know what the exact event event looks like? The technet article: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601/ references the following:

  • Event Log: Windows Logs/Application
  • Event Source: Audit-CVE
  • Event ID 1

Event ID 1 seems to be a common dumping ground, and I've never seen any logs from that SourceName (Assuming that's the field to key on)

I'll (for now) run scheduled searches for the following, but have a feeling the data presents differently.

sourcetype=wineventlog:application SourceName=Audit-CVE

Any ideas/thoughts/suggestions?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rmmiller
Contributor
‎01-15-2020 02:12 PM

One of the handlers at the Internet Storm Center (SANS entity) put together a VBA solution that populates the event log with a replica of these events.

Take a look at https://blog.didierstevens.com/2020/01/15/using-cveeventwrite-from-vba-cve-2020-0601/ for more info.

Hope that helps!
rmmiller

View solution in original post

Reply
Solved! Jump to solution

dsctm3
Path Finder
‎01-15-2020 02:55 PM

This is exactly what I was looking for. Many thanks @rmmiller !

0 Karma
Reply
Solved! Jump to solution

rmmiller
Contributor
‎01-15-2020 03:42 PM

Glad I could help! We're all in this mess together! 🙂

Reply
Solved! Jump to solution
Solution

rmmiller
Contributor
‎01-15-2020 02:12 PM

One of the handlers at the Internet Storm Center (SANS entity) put together a VBA solution that populates the event log with a replica of these events.

Take a look at https://blog.didierstevens.com/2020/01/15/using-cveeventwrite-from-vba-cve-2020-0601/ for more info.

Hope that helps!
rmmiller

Reply
Get Updates on the Splunk Community!

Splunk MCP & Agentic AI: Machine Data Without Limits

  Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization ...

Finding Based Detections General Availability

Overview  We’ve come a long way, folks, but here in Enterprise Security 8.4 I’m happy to announce Finding ...

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Hands-On Learning and Technical Seminars  Sometimes, you just need to see the code. For those looking for a ...