Emerging Threathightest

Scanner PoC for CVE-2019-0708 RDP RCE Vuln

Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Florian Roth (Nextron Systems), Adam BradburyCreated Sun Jun 02Updated Sun Dec 258400629e-79a9-4737-b387-5db940ab23672019

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

Windowssecurity

ProductWindows← raw: windows

Servicesecurity← raw: security

Detection Logic

detection:
    selection:
        EventID: 4625
        TargetUserName: AAAAAAA
    condition: selection

False Positives

Unlikely

False positives are unlikely for most environments. High confidence detection.

References

MITRE ATT&CK

Tactics

TA0008 · Lateral Movement

Techniques

T1210 · Exploitation of Remote Services

CAR Analytics

2013-07-002 · CAR 2013-07-002

Other

detection.emerging-threatscve.2019-0708

Rule Metadata

Rule ID

8400629e-79a9-4737-b387-5db940ab2367

Status

test

Level

high

Type

Emerging Threat

Created

Sun Jun 02

Modified

Sun Dec 25

Author

Florian Roth (Nextron Systems), Adam Bradbury

Path

rules-emerging-threats/2019/Exploits/CVE-2019-0708/win_security_exploit_cve_2019_0708_scanner_poc.yml

Raw Tags

attack.lateral-movementattack.t1210car.2013-07-002detection.emerging-threatscve.2019-0708

View on GitHub