Elastic Security Detection Rules

Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)

Last updated 10 days ago on 2025-02-21
Created 5 years ago on 2020-03-19

About

A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.
Tags
Domain: EndpointOS: WindowsUse Case: Threat DetectionTactic: Defense EvasionUse Case: VulnerabilityData Source: Windows Security Event LogsLanguage: kuery
Severity
low
Risk Score
21
MITRE ATT&CK™

Defense Evasion (TA0005)(opens in a new tab or window)

Subvert Trust Controls (T1553)(opens in a new tab or window)

License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
winlogbeat-*logs-windows.forwarded*logs-system.security*
Related Integrations

windows(opens in a new tab or window)

system(opens in a new tab or window)

Query
event.provider:"Microsoft-Windows-Audit-CVE" and message:"[CVE-2020-0601]" and host.os.type:windows

Install detection rules in Elastic Security

Detect Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall) in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).