Scanner PoC for CVE-2019-0708 RDP RCE VulnMay 2, 2023 · attack.lateral_movement attack.t1210 car.2013-07-002 ·
Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep
Audit CVE Event
Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.
Potential RDP Exploit CVE-2019-0708Apr 14, 2023 · attack.lateral_movement attack.t1210 car.2013-07-002 ·
Detect suspicious error on protocol RDP, potential CVE-2019-0708
Zerologon Exploitation Using Well-known ToolsApr 14, 2023 · attack.t1210 attack.lateral_movement ·
This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with "kali" hostname.
Terminal Service Process SpawnMar 5, 2023 · attack.initial_access attack.t1190 attack.lateral_movement attack.t1210 car.2013-07-002 ·
Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)
Possible Exploitation of Exchange RCE CVE-2021-42321Feb 1, 2023 · attack.lateral_movement attack.t1210 ·
Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321
Execution of ZeroLogon PoC executableJan 8, 2023 · attack.execution attack.lateral_movement attack.T1210 ·
Detects the execution of the commonly used ZeroLogon PoC executable.
OMIGOD HTTP No Authentication RCE
Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request. Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP). Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.