Terminal Service Process Spawn

Mar 5, 2023 · attack.initial_access attack.t1190 attack.lateral_movement attack.t1210 car.2013-07-002 ·

Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)

Sigma rule (View on GitHub)

 1title: Terminal Service Process Spawn
 2id: 1012f107-b8f1-4271-af30-5aed2de89b39
 3status: test
 4description: Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)
 5references:
 6    - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/
 7author: Florian Roth (Nextron Systems)
 8date: 2019/05/22
 9modified: 2023/01/25
10tags:
11    - attack.initial_access
12    - attack.t1190
13    - attack.lateral_movement
14    - attack.t1210
15    - car.2013-07-002
16logsource:
17    product: windows
18    category: process_creation
19detection:
20    selection:
21        ParentCommandLine|contains|all:
22            - '\svchost.exe'
23            - 'termsvcs'
24    filter_img:
25        Image|endswith:
26            - '\rdpclip.exe'
27            - ':\Windows\System32\csrss.exe'
28            - ':\Windows\System32\wininit.exe'
29            - ':\Windows\System32\winlogon.exe'
30    filter_null:
31        Image: null
32    condition: selection and not 1 of filter_*
33falsepositives:
34    - Unknown
35level: high

References

Cybersecurity News and Insights to Stay Safe Online | McAfee Blog

Welcome to the McAfee Blog, where we share posts about security solutions and products to keep you and your connected family safe online.

Read More

Terminal Service Process Spawn

Sigma rule (View on GitHub)

References

Cybersecurity News and Insights to Stay Safe Online | McAfee Blog

Related rules