Potential RDP Exploit CVE-2019-0708
Detect suspicious error on protocol RDP, potential CVE-2019-0708
Sigma rule (View on GitHub)
1title: Potential RDP Exploit CVE-2019-0708
2id: aaa5b30d-f418-420b-83a0-299cb6024885
3status: test
4description: Detect suspicious error on protocol RDP, potential CVE-2019-0708
5references:
6 - https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708
7 - https://github.com/Ekultek/BlueKeep
8author: 'Lionel PRAT, Christophe BROCAS, @atc_project (improvements)'
9date: 2019-05-24
10modified: 2022-12-25
11tags:
12 - attack.lateral-movement
13 - attack.t1210
14 - car.2013-07-002
15logsource:
16 product: windows
17 service: system
18detection:
19 selection:
20 EventID:
21 - 56
22 - 50
23 Provider_Name: TermDD
24 condition: selection
25falsepositives:
26 - Bad connections or network interruptions
27# too many false positives
28level: medium
References
-
Scanner PoC for CVE-2019-0708 RDP RCE vuln. Contribute to zerosum0x0/CVE-2019-0708 development by creating an account on GitHub.
Read More -
Proof of concept for CVE-2019-0708. Contribute to Ekultek/BlueKeep development by creating an account on GitHub.
Read More
Related rules
- Scanner PoC for CVE-2019-0708 RDP RCE Vuln
- Terminal Service Process Spawn
- Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC
- HackTool - SharpWSUS/WSUSpendu Execution
- Apache Threading Error