Scanner PoC for CVE-2019-0708 RDP RCE Vuln

Aug 12, 2024 · attack.lateral-movement attack.t1210 car.2013-07-002 ·

Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep

Sigma rule (View on GitHub)

 1title: Scanner PoC for CVE-2019-0708 RDP RCE Vuln
 2id: 8400629e-79a9-4737-b387-5db940ab2367
 3status: test
 4description: Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to  CVE-2019-0708 RDP RCE aka BlueKeep
 5references:
 6    - https://twitter.com/AdamTheAnalyst/status/1134394070045003776
 7    - https://github.com/zerosum0x0/CVE-2019-0708
 8author: Florian Roth (Nextron Systems), Adam Bradbury (idea)
 9date: 2019-06-02
10modified: 2022-12-25
11tags:
12    - attack.lateral-movement
13    - attack.t1210
14    - car.2013-07-002
15logsource:
16    product: windows
17    service: security
18detection:
19    selection:
20        EventID: 4625
21        TargetUserName: AAAAAAA
22    condition: selection
23falsepositives:
24    - Unlikely
25level: high

Scanner PoC for CVE-2019-0708 RDP RCE Vuln

Sigma rule (View on GitHub)

References

x.com

https://github.com/zerosum0x0/CVE-2019-0708

Related rules