Emerging Threatmediumtest

Potential RDP Exploit CVE-2019-0708

Detect suspicious error on protocol RDP, potential CVE-2019-0708

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Lionel PRAT, Christophe BROCASCreated Fri May 24Updated Sun Dec 25aaa5b30d-f418-420b-83a0-299cb60248852019

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

Windowssystem

ProductWindows← raw: windows

Servicesystem← raw: system

Detection Logic

detection:
    selection:
        EventID:
            - 56
            - 50
        Provider_Name: TermDD
    condition: selection

False Positives

Bad connections or network interruptions

References

MITRE ATT&CK

Tactics

TA0008 · Lateral Movement

Techniques

T1210 · Exploitation of Remote Services

CAR Analytics

2013-07-002 · CAR 2013-07-002

Other

cve.2019-0708detection.emerging-threats

Rule Metadata

Rule ID

aaa5b30d-f418-420b-83a0-299cb6024885

Status

test

Level

medium

Type

Emerging Threat

Created

Fri May 24

Modified

Sun Dec 25

Author

Lionel PRAT, Christophe BROCAS

Path

rules-emerging-threats/2019/Exploits/CVE-2019-0708/win_system_exploit_cve_2019_0708.yml

Raw Tags

attack.lateral-movementattack.t1210car.2013-07-002cve.2019-0708detection.emerging-threats

View on GitHub