Hello Splunkers!
TL;DR - Has anyone seen an example log generated by the fix for the 2020-January Critical MS Windows CryptoAPI Vuln? (CVE-2020-0601)
Does anyone know what the exact event event looks like? The technet article: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601/ references the following:
Event ID 1 seems to be a common dumping ground, and I've never seen any logs from that SourceName (Assuming that's the field to key on)
I'll (for now) run scheduled searches for the following, but have a feeling the data presents differently.
sourcetype=wineventlog:application SourceName=Audit-CVE
Any ideas/thoughts/suggestions?
One of the handlers at the Internet Storm Center (SANS entity) put together a VBA solution that populates the event log with a replica of these events.
Take a look at https://blog.didierstevens.com/2020/01/15/using-cveeventwrite-from-vba-cve-2020-0601/ for more info.
Hope that helps!
rmmiller
This is exactly what I was looking for. Many thanks @rmmiller !
Glad I could help! We're all in this mess together! 🙂
One of the handlers at the Internet Storm Center (SANS entity) put together a VBA solution that populates the event log with a replica of these events.
Take a look at https://blog.didierstevens.com/2020/01/15/using-cveeventwrite-from-vba-cve-2020-0601/ for more info.
Hope that helps!
rmmiller