Audit CVE Event (48d91a3a-2363-43ba-a456-ca71ac3da5c2)

Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Audit CVE Event (48d91a3a-2363-43ba-a456-ca71ac3da5c2)	Sigma-Rules	Exploitation for Credential Access - T1212 (9c306d8d-cde7-4b4c-b6e8-d0bb16caca36)	Attack Pattern	1
Audit CVE Event (48d91a3a-2363-43ba-a456-ca71ac3da5c2)	Sigma-Rules	Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63)	Attack Pattern	1
Audit CVE Event (48d91a3a-2363-43ba-a456-ca71ac3da5c2)	Sigma-Rules	Application or System Exploitation - T1499.004 (2bee5ffb-7a7a-4119-b1f2-158151b19ac0)	Attack Pattern	1
Exploitation for Privilege Escalation - T1068 (b21c3b2d-02e6-45b1-980b-e69051040839)	Attack Pattern	Audit CVE Event (48d91a3a-2363-43ba-a456-ca71ac3da5c2)	Sigma-Rules	1
Audit CVE Event (48d91a3a-2363-43ba-a456-ca71ac3da5c2)	Sigma-Rules	Exploitation of Remote Services - T1210 (9db0cf3a-a3c9-4012-8268-123b9db6fd82)	Attack Pattern	1
Audit CVE Event (48d91a3a-2363-43ba-a456-ca71ac3da5c2)	Sigma-Rules	Exploitation for Defense Evasion - T1211 (fe926152-f431-4baf-956c-4ad3cb0bf23b)	Attack Pattern	1
Application or System Exploitation - T1499.004 (2bee5ffb-7a7a-4119-b1f2-158151b19ac0)	Attack Pattern	Endpoint Denial of Service - T1499 (c675646d-e204-4aa8-978d-e3d6d65885c4)	Attack Pattern	2