harmzway · January 16, 2020 17:33 · Jan 16, 2020 · Jan 16, 2020 · Jan 16, 2020 · Jan 16, 2020
diff --git a/20200114-TLP-WHITE_CVE-2020-0601.md b/20200114-TLP-WHITE_CVE-2020-0601.md
@@ -29,6 +29,8 @@ network owners.
     - Interesting nuggets: RSA 2048, use NIST P-384 (secp384r1) curve, 365 days default expire date.
     - 1 Sample uploaded on VTI, seems related to the previous PoC, but no confirmation
         - https://www.virustotal.com/gui/file/95597ed5ed579d4fe1e9a2177c29178038e4f837998bc058c94ede6ec55b7547/details
+    - Updated PoC (2020-01-16 1448)
+      - Updated include new nuggets: 10000 days default expire date, now abuse CA: "Microsoft ECC Product Root Certificate Authority         2018", still use NIST P-384 (secp384r1) curve, added a mark in the end "Signed by ollypwn"
 
   - PoC published the 2020-01-16 1214 AM GMT+1 [PoC2]
     - Interesting nuggets: default serial number = 0x5c8b99c55a94c5d27156decd8980cc26, use NIST P-384 (secp384r1) curve, 500 days         default expire date, configured to abuse USERTrust ECC Certification Authority, some others hardcoded information but could be       changed easily, C = CH, ST = Vaud, L = Lausanne, O = Kudelski Security, CN = 85.184.255.36.

diff --git a/20200114-TLP-WHITE_CVE-2020-0601.md b/20200114-TLP-WHITE_CVE-2020-0601.md
@@ -1,4 +1,4 @@
-# CVE-2020-0601
+# CVE-2020-0601 AKA ChainOfFools
 
 ## General
 - Microsoft disclosed a vulnerability in their monthly Patch Tuesday referenced under CVE-2020-0601.
@@ -34,7 +34,7 @@ network owners.
     - Interesting nuggets: default serial number = 0x5c8b99c55a94c5d27156decd8980cc26, use NIST P-384 (secp384r1) curve, 500 days         default expire date, configured to abuse USERTrust ECC Certification Authority, some others hardcoded information but could be       changed easily, C = CH, ST = Vaud, L = Lausanne, O = Kudelski Security, CN = 85.184.255.36.
 
 - Privately available: YES (Around 10 private PoC)
-- In The Wild Exploitation: IDK
+- In The Wild Exploitation: YES
 
 ## REFERENCES
 - [Microsoft Security Advisory](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601)
@@ -46,6 +46,8 @@ network owners.
 - [CERT-FR_ALERTE](https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-004/)
 - [CERT/CC VU#849224](https://kb.cert.org/vuls/id/849224/)
 - [NCSC IE](https://www.ncsc.gov.ie/pdfs/Microsoft_Vulnerabilities_Jan2020.pdf)
+- [Research BlogPost](https://research.kudelskisecurity.com/2020/01/15/cve-2020-0601-the-chainoffools-attack-explained-with-poc/)
+
 
 ## Affected Versions (Exhaustive list)
 - Windows 10 for 32-bit Systems
@@ -137,6 +139,13 @@ Get-WinEvent -FilterHashtable @{ LogName = 'Application'; Id = 1; ProviderName =
 #### Kaspersky
 - [TBD]
 
+## Website to check if your device is vulnerable
+- Website available to check if you're browser is vulnerable to CVE-2020-0601
+- [Browser Website Check](https://chainoffools.wouaib.ch/)
+
+## EMULATE CVE-2020-0601 exploitation attempt
+- From Didier Stevens blog, with a bit of VBA, you can test, if your system is patched, to create an emulated event.
+- [Didier Stevens Blog: Using CveEventWrite From VBA CVE-2020-0601](https://blog.didierstevens.com/2020/01/15/using-cveeventwrite-from-vba-cve-2020-0601/)
 
 ## DETECT
 ### Detect the current version of "crypt32.dll"
@@ -148,6 +157,7 @@ Get-WinEvent -FilterHashtable @{ LogName = 'Application'; Id = 1; ProviderName =
 
 #### Check the file signatures and dates
 - Eg: On windows 10, the new DLL is signed with the following timestamp "Friday 3 january 2020 06:14:45"
+  - Author's note: The timestamp coul be also the 4th January, depending which Microsoft Edition you're running.
 - Eg: On Windows 10, the new DLL has the following version "10.0.18362.592"
 - Eg: On Windows 10, the new DLL has the following hashes:
   - CRC32: 2B82D538

diff --git a/20200114-TLP-WHITE_CVE-2020-0601.md b/20200114-TLP-WHITE_CVE-2020-0601.md
@@ -24,7 +24,15 @@ network owners.
 - If you really want to deep dive in the cryptographic part and understand better the root cause of this vulnerability, Tal Be'ery published today a very didactic explanation [Tal Be'ery Medium BlogPost](https://medium.com/zengo/win10-crypto-vulnerability-cheating-in-elliptic-curve-billiards-2-69b45f2dcab6)
 
 ## EXPLOIT
-- Publicly available: NO
+- Publicly available: YES
+  - PoC published the 2020-01-16 1208 AM GMT+1 (PoC1)
+    - Interesting nuggets: RSA 2048, use NIST P-384 (secp384r1) curve, 365 days default expire date.
+    - 1 Sample uploaded on VTI, seems related to the previous PoC, but no confirmation
+        - https://www.virustotal.com/gui/file/95597ed5ed579d4fe1e9a2177c29178038e4f837998bc058c94ede6ec55b7547/details
+
+  - PoC published the 2020-01-16 1214 AM GMT+1 [PoC2]
+    - Interesting nuggets: default serial number = 0x5c8b99c55a94c5d27156decd8980cc26, use NIST P-384 (secp384r1) curve, 500 days         default expire date, configured to abuse USERTrust ECC Certification Authority, some others hardcoded information but could be       changed easily, C = CH, ST = Vaud, L = Lausanne, O = Kudelski Security, CN = 85.184.255.36.
+
 - Privately available: YES (Around 10 private PoC)
 - In The Wild Exploitation: IDK
 
@@ -115,6 +123,11 @@ Get-WinEvent -FilterHashtable @{ LogName = 'Application'; Id = 1; ProviderName =
 - [GitHub](https://github.com/0xxon/cve-2020-0601/blob/master/Readme.md)
 - [Tweet 0xxon](https://twitter.com/0xxon/status/1217288808443441152)
 
+### SIGMA RULE
+- Thanks to Florian Roth, there's a sigma rule to detect an exploitation attempst on patched devices.
+- [GITHUB Sigma Rule](https://github.com/Neo23x0/sigma/blob/master/rules/windows/builtin/win_audit_cve.yml)
+- [Tweet Florian Roth](https://twitter.com/cyb3rops/status/1217545671424847874)
+
 #### Sophos 
 - [TBD]
 

diff --git a/20200114-TLP-WHITE_CVE-2020-0601.md b/20200114-TLP-WHITE_CVE-2020-0601.md
@@ -86,7 +86,7 @@ Get-WinEvent -FilterHashtable @{ LogName = 'Application'; Id = 1; ProviderName =
 #### Crowdstrike
 - [Detection using Windows new API on patched devices](https://twitter.com/aionescu/status/1217157482600108033)
 
-### Tehtris XDR
+#### Tehtris XDR
 - [Detection using Windows new API on patched devices](https://twitter.com/tehtris/status/1217500188903907331)
 
 #### Symantec 
@@ -102,11 +102,11 @@ Get-WinEvent -FilterHashtable @{ LogName = 'Application'; Id = 1; ProviderName =
 #### McAfee 
 - [McAfee KB](https://kc.mcafee.com/corporate/index?page=content&id=KB92322&actp=null&viewlocale=en_US&showDraft=false&platinum_status=false&locale=en_US)
 
-### Qualys
+#### Qualys
 - QID: 91595
 - [Qualys BlogPost](https://blog.qualys.com/laws-of-vulnerabilities/2020/01/14/microsoft-windows-cryptoapi-spoofing-vulnerability-cve-2020-0601-how-to-detect-and-remediate)
 
-### Tenable
+#### Tenable
 - [Plugins ID list](https://www.tenable.com/plugins/search?q=%22CVE-2020-0601%22%20AND%20script_family%3A(%22Windows%22)&sort=&page=1)
 - [Tenable BlogPost](https://www.tenable.com/blog/cve-2020-0601-nsa-reported-spoofing-vulnerability-in-windows-cryptoapi)
 

diff --git a/20200114-TLP-WHITE_CVE-2020-0601.md b/20200114-TLP-WHITE_CVE-2020-0601.md
@@ -21,7 +21,12 @@
 - Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all
 network owners.
 
-- Author's note: still assessing the situation
+- If you really want to deep dive in the cryptographic part and understand better the root cause of this vulnerability, Tal Be'ery published today a very didactic explanation [Tal Be'ery Medium BlogPost](https://medium.com/zengo/win10-crypto-vulnerability-cheating-in-elliptic-curve-billiards-2-69b45f2dcab6)
+
+## EXPLOIT
+- Publicly available: NO
+- Privately available: YES (Around 10 private PoC)
+- In The Wild Exploitation: IDK
 
 ## REFERENCES
 - [Microsoft Security Advisory](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601)
@@ -32,9 +37,9 @@ network owners.
 - [CISA-Alert-aa20-014a](https://www.us-cert.gov/ncas/alerts/aa20-014a)
 - [CERT-FR_ALERTE](https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-004/)
 - [CERT/CC VU#849224](https://kb.cert.org/vuls/id/849224/)
-- TBD
+- [NCSC IE](https://www.ncsc.gov.ie/pdfs/Microsoft_Vulnerabilities_Jan2020.pdf)
 
-## Affected Versions
+## Affected Versions (Exhaustive list)
 - Windows 10 for 32-bit Systems
 - Windows 10 for x64-based Systems
 - Windows 10 Version 1607 for 32-bit Systems
@@ -81,6 +86,9 @@ Get-WinEvent -FilterHashtable @{ LogName = 'Application'; Id = 1; ProviderName =
 #### Crowdstrike
 - [Detection using Windows new API on patched devices](https://twitter.com/aionescu/status/1217157482600108033)
 
+### Tehtris XDR
+- [Detection using Windows new API on patched devices](https://twitter.com/tehtris/status/1217500188903907331)
+
 #### Symantec 
 - [ID Not assigned yet](https://support.symantec.com/us/en/article.TECH257115.html)
 - [ThreatCenter](https://www.symantec.com/security-center/vulnerabilities/writeup/111370)
@@ -94,6 +102,19 @@ Get-WinEvent -FilterHashtable @{ LogName = 'Application'; Id = 1; ProviderName =
 #### McAfee 
 - [McAfee KB](https://kc.mcafee.com/corporate/index?page=content&id=KB92322&actp=null&viewlocale=en_US&showDraft=false&platinum_status=false&locale=en_US)
 
+### Qualys
+- QID: 91595
+- [Qualys BlogPost](https://blog.qualys.com/laws-of-vulnerabilities/2020/01/14/microsoft-windows-cryptoapi-spoofing-vulnerability-cve-2020-0601-how-to-detect-and-remediate)
+
+### Tenable
+- [Plugins ID list](https://www.tenable.com/plugins/search?q=%22CVE-2020-0601%22%20AND%20script_family%3A(%22Windows%22)&sort=&page=1)
+- [Tenable BlogPost](https://www.tenable.com/blog/cve-2020-0601-nsa-reported-spoofing-vulnerability-in-windows-cryptoapi)
+
+### Zeek / BRO IDS
+- Thanks to 0xxon for the work on Zeek / Bro iDS
+- [GitHub](https://github.com/0xxon/cve-2020-0601/blob/master/Readme.md)
+- [Tweet 0xxon](https://twitter.com/0xxon/status/1217288808443441152)
+
 #### Sophos 
 - [TBD]
 
@@ -129,7 +150,18 @@ Get-WinEvent -FilterHashtable @{ LogName = 'Application'; Id = 1; ProviderName =
 ```
 SELECT * FROM patches WHERE HOTFIX_ID='KB4534273';
 ```
-- Thanks to Kolide [Kolide Tweet](https://twitter.com/kolide/status/1217185516224950273?s=21)
+- Thanks to Kolide [Kolide Tweet](https://twitter.com/kolide/status/1217185516224950273)
+
+### Detect with SPLUNK if your device is attacked by CVE-2020-0601
+- You can detect in your patched devices any try of exploitation with the following oneliner command:
+```
+sourcetype=WinEventLog EventCode=1 LogName=Application Message="*[CVE-2020-0601]*"
+```
+- Thanks to Richard Davis [DAVISRICHARDG Tweet](https://twitter.com/davisrichardg/status/1217517547576348673)
+
+### Parses the ASN.1-encoded ECC curve parameters from an Audit-CVE By Matt Graeber
+- Check his github gist [Matt Graeber Gist](https://gist.github.com/mattifestation/a64846c1c523d3aaedaeb1fb0f4989ce)
+- Tweets explanations [Tweets](https://twitter.com/mattifestation/status/1217490544773009409)
 
 ## Errors, typos, something to say ?
 - Feel free to report any mistake directly below in the comment or in DM on Twitter [@SwitHak](https://twitter.com/SwitHak)
diff --git a/20200114-TLP-WHITE_CVE-2020-0601.md b/20200114-TLP-WHITE_CVE-2020-0601.md
@@ -92,7 +92,7 @@ Get-WinEvent -FilterHashtable @{ LogName = 'Application'; Id = 1; ProviderName =
 - 1:52596 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 
 #### McAfee 
-- [TBD]
+- [McAfee KB](https://kc.mcafee.com/corporate/index?page=content&id=KB92322&actp=null&viewlocale=en_US&showDraft=false&platinum_status=false&locale=en_US)
 
 #### Sophos 
 - [TBD]

diff --git a/20200114-TLP-WHITE_CVE-2020-0601.md b/20200114-TLP-WHITE_CVE-2020-0601.md
@@ -105,7 +105,13 @@ Get-WinEvent -FilterHashtable @{ LogName = 'Application'; Id = 1; ProviderName =
 
 
 ## DETECT
-### Detect the current version of "crypto32.dll"
+### Detect the current version of "crypt32.dll"
+
+#### Detect with PowerShell
+```
+[System.Diagnostics.FileVersionInfo]::GetVersionInfo("C:\Windows\System32\crypt32.dll").ProductVersion
+```
+
 #### Check the file signatures and dates
 - Eg: On windows 10, the new DLL is signed with the following timestamp "Friday 3 january 2020 06:14:45"
 - Eg: On Windows 10, the new DLL has the following version "10.0.18362.592"
@@ -118,7 +124,7 @@ Get-WinEvent -FilterHashtable @{ LogName = 'Application'; Id = 1; ProviderName =
 
 - PowerShell & SCCM are your friends to gain a visibility in your networks
 
-### Detect with OSQUERY
+### Detect with OSQUERY if your device is patched
 - You can detect devices patched with the following oneliner command:
 ```
 SELECT * FROM patches WHERE HOTFIX_ID='KB4534273';

diff --git a/20200114-TLP-WHITE_CVE-2020-0601.md b/20200114-TLP-WHITE_CVE-2020-0601.md
@@ -118,7 +118,8 @@ Get-WinEvent -FilterHashtable @{ LogName = 'Application'; Id = 1; ProviderName =
 
 - PowerShell & SCCM are your friends to gain a visibility in your networks
 
-#### Detect with OSQUERY
+### Detect with OSQUERY
+- You can detect devices patched with the following oneliner command:
 ```
 SELECT * FROM patches WHERE HOTFIX_ID='KB4534273';
 ```

diff --git a/20200114-TLP-WHITE_CVE-2020-0601.md b/20200114-TLP-WHITE_CVE-2020-0601.md
@@ -118,6 +118,11 @@ Get-WinEvent -FilterHashtable @{ LogName = 'Application'; Id = 1; ProviderName =
 
 - PowerShell & SCCM are your friends to gain a visibility in your networks
 
+#### Detect with OSQUERY
+```
+SELECT * FROM patches WHERE HOTFIX_ID='KB4534273';
+```
+- Thanks to Kolide [Kolide Tweet](https://twitter.com/kolide/status/1217185516224950273?s=21)
 
 ## Errors, typos, something to say ?
 - Feel free to report any mistake directly below in the comment or in DM on Twitter [@SwitHak](https://twitter.com/SwitHak)
diff --git a/20200114-TLP-WHITE_CVE-2020-0601.md b/20200114-TLP-WHITE_CVE-2020-0601.md
@@ -32,7 +32,7 @@ network owners.
 - [CISA-Alert-aa20-014a](https://www.us-cert.gov/ncas/alerts/aa20-014a)
 - [CERT-FR_ALERTE](https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-004/)
 - [CERT/CC VU#849224](https://kb.cert.org/vuls/id/849224/)
-- 
+- TBD
 
 ## Affected Versions
 - Windows 10 for 32-bit Systems
@@ -85,6 +85,12 @@ Get-WinEvent -FilterHashtable @{ LogName = 'Application'; Id = 1; ProviderName =
 - [ID Not assigned yet](https://support.symantec.com/us/en/article.TECH257115.html)
 - [ThreatCenter](https://www.symantec.com/security-center/vulnerabilities/writeup/111370)
 
+#### SNORT
+- 1:52593 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
+- 1:52594 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
+- 1:52595 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
+- 1:52596 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
+
 #### McAfee 
 - [TBD]
 
@@ -97,8 +103,9 @@ Get-WinEvent -FilterHashtable @{ LogName = 'Application'; Id = 1; ProviderName =
 #### Kaspersky
 - [TBD]
 
+
 ## DETECT
-### Detect the version of current "crypto32.dll"
+### Detect the current version of "crypto32.dll"
 #### Check the file signatures and dates
 - Eg: On windows 10, the new DLL is signed with the following timestamp "Friday 3 january 2020 06:14:45"
 - Eg: On Windows 10, the new DLL has the following version "10.0.18362.592"

diff --git a/20200114-TLP-WHITE_CVE-2020-0601.md b/20200114-TLP-WHITE_CVE-2020-0601.md
@@ -1,7 +1,7 @@
 # CVE-2020-0601
 
 ## General
-- Microsoft disclosed a vulnerability in their routinely Patch Tuesday refereced under CVE-2020-0601.
+- Microsoft disclosed a vulnerability in their monthly Patch Tuesday referenced under CVE-2020-0601.
 - The vulnerability was discovered by the U.S. National Security Agency, anounced today (2020-01-14) in their press conference,  followed by a blog post and an official security advisory.
 - The flaw is located in the "CRYPT32.DLL" file under the C:\Windows\System32\ directory.
 
@@ -111,3 +111,6 @@ Get-WinEvent -FilterHashtable @{ LogName = 'Application'; Id = 1; ProviderName =
 
 - PowerShell & SCCM are your friends to gain a visibility in your networks
 
+
+## Errors, typos, something to say ?
+- Feel free to report any mistake directly below in the comment or in DM on Twitter [@SwitHak](https://twitter.com/SwitHak)
diff --git a/20200114-TLP-WHITE_CVE-2020-0601.md b/20200114-TLP-WHITE_CVE-2020-0601.md
@@ -2,12 +2,12 @@
 
 ## General
 - Microsoft disclosed a vulnerability in their routinely Patch Tuesday refereced under CVE-2020-0601.
-- The vulnerability was discovered by the U.S. National Security Agency in their press conference and followed by a blog post and an official security advisory.
-- The flaw is located in the "CRYPT32.DLL".
+- The vulnerability was discovered by the U.S. National Security Agency, anounced today (2020-01-14) in their press conference,  followed by a blog post and an official security advisory.
+- The flaw is located in the "CRYPT32.DLL" file under the C:\Windows\System32\ directory.
 
 ## Vulnerability explanation
 - NSA description:
-- NSA has discovered a critical vulnerability (CVE-2020-0601) affecting Microsoft Windows®1 cryptographic functionality.
+- NSA has discovered a critical vulnerability (CVE-2020-0601) affecting Microsoft Windows® cryptographic functionality.
 - The certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution. 
 - The vulnerability affects Windows 10 and Windows Server 2016/2019 as well as applications that rely on Windows for trust functionality. Exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities. 
 - Examples where validation of trust may be impacted include:
@@ -34,6 +34,33 @@ network owners.
 - [CERT/CC VU#849224](https://kb.cert.org/vuls/id/849224/)
 - 
 
+## Affected Versions
+- Windows 10 for 32-bit Systems
+- Windows 10 for x64-based Systems
+- Windows 10 Version 1607 for 32-bit Systems
+- Windows 10 Version 1607 for x64-based Systems
+- Windows 10 Version 1709 for 32-bit Systems
+- Windows 10 Version 1709 for ARM64-based Systems
+- Windows 10 Version 1709 for x64-based Systems
+- Windows 10 Version 1803 for 32-bit Systems
+- Windows 10 Version 1803 for ARM64-based Systems
+- Windows 10 Version 1803 for x64-based Systems
+- Windows 10 Version 1809 for 32-bit Systems
+- Windows 10 Version 1809 for ARM64-based Systems
+- Windows 10 Version 1809 for x64-based Systems
+- Windows 10 Version 1903 for 32-bit Systems
+- Windows 10 Version 1903 for ARM64-based Systems
+- Windows 10 Version 1903 for x64-based Systems
+- Windows 10 Version 1909 for 32-bit Systems
+- Windows 10 Version 1909 for ARM64-based Systems
+- Windows 10 Version 1909 for x64-based Systems
+- Windows Server 2016
+- Windows Server 2016  (Server Core installation)
+- Windows Server 2019
+- Windows Server 2019  (Server Core installation)
+- Windows Server, version 1803  (Server Core Installation)
+- Windows Server, version 1903 (Server Core installation)
+- Windows Server, version 1909 (Server Core installation)
 
 ## How-To detect that
 
@@ -74,6 +101,13 @@ Get-WinEvent -FilterHashtable @{ LogName = 'Application'; Id = 1; ProviderName =
 ### Detect the version of current "crypto32.dll"
 #### Check the file signatures and dates
 - Eg: On windows 10, the new DLL is signed with the following timestamp "Friday 3 january 2020 06:14:45"
-- Eg: On Windows 10, the new DLL has the following serial number "330000023241fb59996dcc4dff000000000232"
+- Eg: On Windows 10, the new DLL has the following version "10.0.18362.592"
+- Eg: On Windows 10, the new DLL has the following hashes:
+  - CRC32: 2B82D538
+  - CRC64: 14D5AADB0BD14B22
+  - SHA256: E832E3A58B542E15A169B1545CE82451ACE19BD361FD81764383048528F9B540
+  - SHA1: 7A9DD389B0E3C124D4BFE5C1FF15F9A93285514F
+  - BLAKE2sp: EEE317CD4E1C395DD1DBCA3DCD066728FAE00250D6884EA63B9F6CAD83C14610
+
 - PowerShell & SCCM are your friends to gain a visibility in your networks
 
diff --git a/20200114-TLP-WHITE_CVE-2020-0601.md b/20200114-TLP-WHITE_CVE-2020-0601.md
@@ -6,17 +6,53 @@
 - The flaw is located in the "CRYPT32.DLL".
 
 ## Vulnerability explanation
+- NSA description:
+- NSA has discovered a critical vulnerability (CVE-2020-0601) affecting Microsoft Windows®1 cryptographic functionality.
+- The certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution. 
+- The vulnerability affects Windows 10 and Windows Server 2016/2019 as well as applications that rely on Windows for trust functionality. Exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities. 
+- Examples where validation of trust may be impacted include:
+  - HTTPS connections
+  - Signed files and emails
+  - Signed executable code launched as user-mode processes
+
+- The vulnerability places Windows endpoints at risk to a broad range of exploitation vectors. 
+- NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable. 
+- The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. 
+- Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all
+network owners.
+
 - Author's note: still assessing the situation
 
+## REFERENCES
+- [Microsoft Security Advisory](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601)
+- [NSA Security Advisory](https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF)
+- [Microsoft BlogPost](https://msrc-blog.microsoft.com/2020/01/14/january-2020-security-updates-cve-2020-0601/)
+- [NSA BlogPost](https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/2056772/a-very-important-patch-tuesday/)
+- [CISA-ED20-02](https://cyber.dhs.gov/ed/20-02/)
+- [CISA-Alert-aa20-014a](https://www.us-cert.gov/ncas/alerts/aa20-014a)
+- [CERT-FR_ALERTE](https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-004/)
+- [CERT/CC VU#849224](https://kb.cert.org/vuls/id/849224/)
+- 
+
+
 ## How-To detect that
 
 ### Vendors detections
 #### Microsoft
 - [Exploit:Win32/CVE-2020-0601.A](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:Win32/CVE-2020-0601.A&ThreatID=2147749406)
 - [Exploit:Win32/CVE-2020-0601.B](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:Win32/CVE-2020-0601.B&threatId=-2147217889)
 
+#### Inside Windows logs
+- Matt Graeber gave a us a oneliner command to check quickly in the log if there's any evidence of an event linked to CVE-2020-0601 (Application/EID 1-2)
+```
+Get-WinEvent -FilterHashtable @{ LogName = 'Application'; Id = 1; ProviderName = 'Microsoft-Windows-Audit-CVE' } | select -Property * -ExcludeProperty MachineName, UserId
+```
+- [Source](https://twitter.com/mattifestation/status/1217179698008068096)
+- [Microsoft API documentation](https://docs.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-cveeventwrite)
+
+
 #### Crowdstrike
-- [Argue they detect on patched devices](https://twitter.com/aionescu/status/1217157482600108033)
+- [Detection using Windows new API on patched devices](https://twitter.com/aionescu/status/1217157482600108033)
 
 #### Symantec 
 - [ID Not assigned yet](https://support.symantec.com/us/en/article.TECH257115.html)
@@ -31,15 +67,13 @@
 #### ESET
 - [TBD]
 
+#### Kaspersky
+- [TBD]
+
+## DETECT
 ### Detect the version of current "crypto32.dll"
 #### Check the file signatures and dates
 - Eg: On windows 10, the new DLL is signed with the following timestamp "Friday 3 january 2020 06:14:45"
 - Eg: On Windows 10, the new DLL has the following serial number "330000023241fb59996dcc4dff000000000232"
 - PowerShell & SCCM are your friends to gain a visibility in your networks
 
-#### Inside Windows logs
-- Matt Graeber gave a us a oneliner command to check quickly in the log if there's any evidence of an event linked to CVE-2020-0601
-
-''' 
-Get-WinEvent -FilterHashtable @{ LogName = 'Application'; Id = 1; ProviderName = 'Microsoft-Windows-Audit-CVE' } | select -Property * -ExcludeProperty MachineName, UserId
-'''
diff --git a/20200114-TLP-WHITE_CVE-2020-0601.md b/20200114-TLP-WHITE_CVE-2020-0601.md
@@ -39,6 +39,7 @@
 
 #### Inside Windows logs
 - Matt Graeber gave a us a oneliner command to check quickly in the log if there's any evidence of an event linked to CVE-2020-0601
+
 ''' 
 Get-WinEvent -FilterHashtable @{ LogName = 'Application'; Id = 1; ProviderName = 'Microsoft-Windows-Audit-CVE' } | select -Property * -ExcludeProperty MachineName, UserId
 '''
diff --git a/20200114-TLP-WHITE_CVE-2020-0601.md b/20200114-TLP-WHITE_CVE-2020-0601.md
@@ -0,0 +1,44 @@
+# CVE-2020-0601
+
+## General
+- Microsoft disclosed a vulnerability in their routinely Patch Tuesday refereced under CVE-2020-0601.
+- The vulnerability was discovered by the U.S. National Security Agency in their press conference and followed by a blog post and an official security advisory.
+- The flaw is located in the "CRYPT32.DLL".
+
+## Vulnerability explanation
+- Author's note: still assessing the situation
+
+## How-To detect that
+
+### Vendors detections
+#### Microsoft
+- [Exploit:Win32/CVE-2020-0601.A](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:Win32/CVE-2020-0601.A&ThreatID=2147749406)
+- [Exploit:Win32/CVE-2020-0601.B](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:Win32/CVE-2020-0601.B&threatId=-2147217889)
+
+#### Crowdstrike
+- [Argue they detect on patched devices](https://twitter.com/aionescu/status/1217157482600108033)
+
+#### Symantec 
+- [ID Not assigned yet](https://support.symantec.com/us/en/article.TECH257115.html)
+- [ThreatCenter](https://www.symantec.com/security-center/vulnerabilities/writeup/111370)
+
+#### McAfee 
+- [TBD]
+
+#### Sophos 
+- [TBD]
+
+#### ESET
+- [TBD]
+
+### Detect the version of current "crypto32.dll"
+#### Check the file signatures and dates
+- Eg: On windows 10, the new DLL is signed with the following timestamp "Friday 3 january 2020 06:14:45"
+- Eg: On Windows 10, the new DLL has the following serial number "330000023241fb59996dcc4dff000000000232"
+- PowerShell & SCCM are your friends to gain a visibility in your networks
+
+#### Inside Windows logs
+- Matt Graeber gave a us a oneliner command to check quickly in the log if there's any evidence of an event linked to CVE-2020-0601
+''' 
+Get-WinEvent -FilterHashtable @{ LogName = 'Application'; Id = 1; ProviderName = 'Microsoft-Windows-Audit-CVE' } | select -Property * -ExcludeProperty MachineName, UserId
+'''