Potential RDP Exploit CVE-2019-0708
Detect suspicious error on protocol RDP, potential CVE-2019-0708
Sigma rule (View on GitHub)
1title: Potential RDP Exploit CVE-2019-0708
2id: aaa5b30d-f418-420b-83a0-299cb6024885
3status: test
4description: Detect suspicious error on protocol RDP, potential CVE-2019-0708
5references:
6 - https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708
7 - https://github.com/Ekultek/BlueKeep
8author: 'Lionel PRAT, Christophe BROCAS, @atc_project (improvements)'
9date: 2019-05-24
10modified: 2022-12-25
11tags:
12 - attack.lateral-movement
13 - attack.t1210
14 - car.2013-07-002
15 - cve.2019-0708
16 - detection.emerging-threats
17logsource:
18 product: windows
19 service: system
20detection:
21 selection:
22 EventID:
23 - 56
24 - 50
25 Provider_Name: TermDD
26 condition: selection
27falsepositives:
28 - Bad connections or network interruptions
29# too many false positives
30level: medium
References
-
Scanner PoC for CVE-2019-0708 RDP RCE vuln. Contribute to zerosum0x0/CVE-2019-0708 development by creating an account on GitHub.
Read More -
Proof of concept for CVE-2019-0708. Contribute to Ekultek/BlueKeep development by creating an account on GitHub.
Read More
Related rules
- Scanner PoC for CVE-2019-0708 RDP RCE Vuln
- OMIGOD HTTP No Authentication RCE - CVE-2021-38647
- WannaCry Ransomware Activity
- Possible Exploitation of Exchange RCE CVE-2021-42321
- Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC