Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

MS Crypto API Vuln - CVE-2020-0601 - Any example logs?

dsctm3
Path Finder
‎01-15-2020 07:35 AM

Hello Splunkers!

TL;DR - Has anyone seen an example log generated by the fix for the 2020-January Critical MS Windows CryptoAPI Vuln? (CVE-2020-0601)

Does anyone know what the exact event event looks like? The technet article: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601/ references the following:

  • Event Log: Windows Logs/Application
  • Event Source: Audit-CVE
  • Event ID 1

Event ID 1 seems to be a common dumping ground, and I've never seen any logs from that SourceName (Assuming that's the field to key on)

I'll (for now) run scheduled searches for the following, but have a feeling the data presents differently.

sourcetype=wineventlog:application SourceName=Audit-CVE

Any ideas/thoughts/suggestions?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rmmiller
Contributor
‎01-15-2020 02:12 PM

One of the handlers at the Internet Storm Center (SANS entity) put together a VBA solution that populates the event log with a replica of these events.

Take a look at https://blog.didierstevens.com/2020/01/15/using-cveeventwrite-from-vba-cve-2020-0601/ for more info.

Hope that helps!
rmmiller

View solution in original post

Reply
Solved! Jump to solution

dsctm3
Path Finder
‎01-15-2020 02:55 PM

This is exactly what I was looking for. Many thanks @rmmiller !

0 Karma
Reply
Solved! Jump to solution

rmmiller
Contributor
‎01-15-2020 03:42 PM

Glad I could help! We're all in this mess together! 🙂

Reply
Solved! Jump to solution
Solution

rmmiller
Contributor
‎01-15-2020 02:12 PM

One of the handlers at the Internet Storm Center (SANS entity) put together a VBA solution that populates the event log with a replica of these events.

Take a look at https://blog.didierstevens.com/2020/01/15/using-cveeventwrite-from-vba-cve-2020-0601/ for more info.

Hope that helps!
rmmiller

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...