Potential RDP Exploit CVE-2019-0708
Detect suspicious error on protocol RDP, potential CVE-2019-0708
Sigma rule (View on GitHub)
1title: Potential RDP Exploit CVE-2019-0708
2id: aaa5b30d-f418-420b-83a0-299cb6024885
3status: test
4description: Detect suspicious error on protocol RDP, potential CVE-2019-0708
5references:
6 - https://github.com/zerosum0x0/CVE-2019-0708
7 - https://github.com/Ekultek/BlueKeep
8author: 'Lionel PRAT, Christophe BROCAS, @atc_project (improvements)'
9date: 2019/05/24
10modified: 2022/12/25
11tags:
12 - attack.lateral_movement
13 - attack.t1210
14 - car.2013-07-002
15logsource:
16 product: windows
17 service: system
18detection:
19 selection:
20 EventID:
21 - 56
22 - 50
23 Provider_Name: TermDD
24 condition: selection
25falsepositives:
26 - Bad connections or network interruptions
27# too many false positives
28level: medium
References
-
Proof of concept for CVE-2019-0708. Contribute to Ekultek/BlueKeep development by creating an account on GitHub.
Read More
Related rules
- Terminal Service Process Spawn
- Zerologon Exploitation Using Well-known Tools
- CobaltStrike Service Installations - System
- Rundll32 Execution Without Parameters
- First Time Seen Remote Named Pipe