In the world of detection engineering, we often rely on heuristics to find anomalies. But what if the operating system could tell us directly: “Hey, someone
just tried to exploit this specific/critical vulnerability”?
This is exactly what the ETW provider Microsoft-Windows-Audit-CVE does.
What is Microsoft-Windows-Audit-CVE?
Traditionally, a security patch fixes a vulnerability by correcting the flawed logic. However, for particularly critical or “famous” vulnerabilities, Microsoft has started integrating audit logic directly into the patch itself.
Instead of just silently blocking an exploit attempt with a generic error, the patched code calls the CveEventWrite function.
This generates an event within the ETW provider {85a62a0d-7e17-485f-9d4f-749a287193a6}.
Why this is a Game-Changer:
- Zero False Positives: Since the detection is hard-coded into the affected component (e.g.,
crypt32.dll), the false alarm rate is nearly zero. - Low Performance Impact: No heavy agents required; the check is part of the standard execution flow.
- Forensic Precision: You receive the exact CVE-ID associated with the attack attempt.
Technical Workflow
When an application calls a vulnerable API, the patched DLL inspects the input parameters. If it detects a specific exploit pattern, it triggers an event.
Event Structure (Event ID 1)
The most critical event is Event ID 1. Here is the typical data layout:
| Field | Description |
|---|---|
| CVEID | The specific vulnerability ID (e.g., CVE-2020-0601) |
| AdditionalDetails | Contextual info regarding the process or payload |
| UserContext | The user account under which the exploit was attempted |
Hands-on: Detection & Hunting
To check if any exploitation attempts have occurred on a system, you can use PowerShell. Since these events are recorded in the Application Log, the query is straightforward:
# Search for CVE Audit events in the Application Log
Get-WinEvent -FilterHashtable @{
LogName = 'Application'
ProviderName = 'Microsoft-Windows-Audit-CVE'
Id = 1
} | Select-Object TimeCreated, Message | Format-Table -AutoSize
Real-time Monitoring via Logman
For real-time analysis during a red teaming exercise or incident response, you can start an ETW trace directly:
logman start CveAuditTrace -p "{85a62a0d-7e17-485f-9d4f-749a287193a6}" -o CveAudit.etl -ets
MITRE ATT&CK® Mapping
Integrating this provider into your SIEM helps cover the following techniques: |ID |Technique| Name| | :— | :— | :— | | T1210 | Exploitation of Remote Services| Exploiting network services | | T1068 | Exploitation for Privilege Escalation| Escalating privileges | | T1211 | Exploitation for Defense Evasion | Bypassing security controls |
Notable Monitored CVEs (Examples)
Not every vulnerability gets this special audit support. Microsoft typically selects high-risk or widely discussed vulnerabilities:
- CVE-2020-0601 (CurveBall): Vulnerability in Crypto-API certificate verification.
- CVE-2021-34527 (PrintNightmare): Critical flaw in the Windows Print Spooler.
- CVE-2022-21907: Remote Code Execution in the HTTP Protocol Stack.
Conclusion for Blue Teamers
The Microsoft-Windows-Audit-CVE provider is an often-overlooked goldmine for high-fidelity alerts. While attackers try to bypass EDR heuristics, the patched Windows code “snitches” on the attacker by naming the exact CVE they are trying to weaponize.
Recommendation: Ensure that Event ID 1 from this provider is ingested into your central logging (Splunk, Sentinel, ELK) to immediately identify targeted attacks against your infrastructure.
References: