heroui logo

Scanner PoC for CVE-2019-0708 RDP RCE Vuln

Sigma Rules

View Source
Summary
This detection rule is designed to identify the use of a scanner that targets systems vulnerable to the CVE-2019-0708 vulnerability, also known as BlueKeep, which affects the Remote Desktop Protocol (RDP) on Windows machines. The rule is based on specific Windows security events, particularly focusing on failed login attempts where the username matches 'AAAAAAA', indicative of automated scanning activities seeking RDP vulnerabilities. Its effectiveness is derived from recognizing these anomalous login events, helping to alert security teams to potential lateral movement attempts by adversaries leveraging the BlueKeep vulnerability. The rule has a high confidence level due to the specificity of the identified event conditions. False positives are deemed unlikely, making this rule a reliable tool for monitoring potential RDP exploitation activities across Windows environments.
Categories
  • Windows
  • Endpoint
Data Sources
  • Windows Registry
  • Application Log
  • Logon Session
  • Network Traffic
Created: 2019-06-02