Skip to content

Hide Navigation Hide TOC

Audit CVE Event (48d91a3a-2363-43ba-a456-ca71ac3da5c2)

Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.

Cluster A Galaxy A Cluster B Galaxy B Level
Exploitation for Defense Evasion - T1211 (fe926152-f431-4baf-956c-4ad3cb0bf23b) Attack Pattern Audit CVE Event (48d91a3a-2363-43ba-a456-ca71ac3da5c2) Sigma-Rules 1
Exploitation of Remote Services - T1210 (9db0cf3a-a3c9-4012-8268-123b9db6fd82) Attack Pattern Audit CVE Event (48d91a3a-2363-43ba-a456-ca71ac3da5c2) Sigma-Rules 1
Exploitation for Credential Access - T1212 (9c306d8d-cde7-4b4c-b6e8-d0bb16caca36) Attack Pattern Audit CVE Event (48d91a3a-2363-43ba-a456-ca71ac3da5c2) Sigma-Rules 1
Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63) Attack Pattern Audit CVE Event (48d91a3a-2363-43ba-a456-ca71ac3da5c2) Sigma-Rules 1
Application or System Exploitation - T1499.004 (2bee5ffb-7a7a-4119-b1f2-158151b19ac0) Attack Pattern Audit CVE Event (48d91a3a-2363-43ba-a456-ca71ac3da5c2) Sigma-Rules 1
Exploitation for Privilege Escalation - T1068 (b21c3b2d-02e6-45b1-980b-e69051040839) Attack Pattern Audit CVE Event (48d91a3a-2363-43ba-a456-ca71ac3da5c2) Sigma-Rules 1
Endpoint Denial of Service - T1499 (c675646d-e204-4aa8-978d-e3d6d65885c4) Attack Pattern Application or System Exploitation - T1499.004 (2bee5ffb-7a7a-4119-b1f2-158151b19ac0) Attack Pattern 2