Write-CveEvent

1.1.1

Write-CveEvent.ps1

                                
<#PSScriptInfo

.VERSION 1.1.1

.GUID 1712c8de-8109-4a62-8123-1d6060ea364d

.AUTHOR Stephen Osburne

.COMPANYNAME

.COPYRIGHT

.TAGS

.LICENSEURI

.PROJECTURI

.ICONURI

.EXTERNALMODULEDEPENDENCIES 

.REQUIREDSCRIPTS

.EXTERNALSCRIPTDEPENDENCIES

.RELEASENOTES

v1.0

-Initial Release

v1.1

-Changed Parameter Defaults to more closely match a true CVE-2020-0601 exploit attempt

v1.1.1

-Updated Help

.PRIVATEDATA

#>

<#

.SYNOPSIS

    Generates a CVE Detection in the Windows Eventlog

.DESCRIPTION

    This script calls the CveEventWrite function from AdvApi32.dll to write a CVE detection

    event to the Windows Event Log

    Log: Application

    Source: Audit-CVE

    Event ID: 1

.PARAMETER -CVE

    Specifies the CVE or Vulnerability to put in the Event

    If not specified, the default is "[CVE-2020-0601] cert validation"

.PARAMETER -AddInfo <String[]>

    Specifies the Additional Information to put in the Event

    If not specified, the default is "CA: <Evil Corp> sha1: 0B02DBB8B01B69D9410E39B39058466480309866 para:01010101010101 otherPara: 0101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101"

.INPUTS

None.

.OUTPUTS

None.

.EXAMPLE

PS> .\Write-CveEvent.ps1 -CVE "2020-0601" -AddInfo "CA: <Evil Corp>"

.NOTES

Thanks to @DiderStevens for the VBA Code starting point.

#>

Param (

    [parameter()]

    [string[]]$CVE = "[CVE-2020-0601] cert validation",

    [parameter()]

    [string[]]$AddInfo = "CA: <Evil Corp> sha1: 0B02DBB8B01B69D9410E39B39058466480309866 para:01010101010101 otherPara: 0101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101"

)

$Signature = @"

[DllImport("advapi32.dll", CharSet=CharSet.Auto)]

public static extern bool CveEventWrite(String CveId, String AdditionalDetails);

"@

$CveEventWrite = Add-Type -MemberDefinition $Signature -Name "AdvApiCveEventWrite" -Namespace securitybaseapi -PassThru 

$CveEventWrite = $CveEventWrite::CveEventWrite($CVE, $AddInfo)

If ($CveEventWrite) {

    Write-Warning -Message "An error was reported when attempted to CveEventWrite."

    } Else {

    Write-Verbose -Message "An Audit-CVE Event`r`nCVE = $CVE`r`nAdditional Information = $AddInfo`r`nwas written to the Event Log"

}