Hi we patch our desktops and servers, but what is the good version of crypt32.dll 10.0.18362.592 ?
No fancy EDR required to capture CVE-2020-0601 attempts (after patching). Just ensure you're forwarding Application log events. Currently, CVE-2020-0601 is the only Microsoft code (AFAIK) that calls the CveEventWrite API so event noise is not a concern. https://docs.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-cveeventwrite …pic.twitter.com/JWPnaMaIqB
-
-
-
I have a hard time keeping track of versions. I do a couple things to validate the patch. First, I confirm the corresponding hotfix is applied. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601 … Look up the "Article" number that corresponds to your OS and validate w/ (in my case): Get-HotFix -Id KB4528760
- Još 2 druga odgovora
Novi razgovor -
-
-
But a good EDR detection would contextualize and inform the analyst performing the triage as to what they're actually looking at - e.g. how to interpret the para argument.
Prikaži ovu nitHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
Any artifact or indicator folks can hunt for who have not patched?
-
It pains me to say that I do not have indicators that I can share with confidence at the moment.
- Još 3 druga odgovora
Novi razgovor -
-
-
It looks like there are two possible events that can come from the Microsoft-Windows-Audit-CVE event provider.pic.twitter.com/YMRaj0hau7
-
Yup. Event ID 2 is generated when ntoskrnl!SeEtwWriteKMCveEvent is called. The CVE-2020-0601 event will always generate event ID 1 as it is called from user mode via advapi32!CveEventWrite.
- Još 7 drugih odgovora
Novi razgovor -
-
-
Microsoft should add detection before patching imho, a delivery service could use the Defender update mechanism or something new imho.
-
From my perspective, the
@MSDefenderATP products (WDAV and MDATP) were extremely proactive in releasing detections in conjunction with the release of the patch: WDAV coverage: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:Win32/CVE-2020-0601.A&ThreatID=2147749406 … https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:Win32/CVE-2020-0601.B … MDATP coverage:https://twitter.com/depletionmode/status/1217147877887283200 …
Kraj razgovora
Novi razgovor -
-
-
May I ask how you generated this sample event on the screenshot?
-
I cheated. I set a breakpoint here for validation of a legitimate certificate and redirected the branching to the ChainLogMSRC54294Error function.pic.twitter.com/73bOkQHBlk
- Još 2 druga odgovora
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.