A vulnerability exists within Remote Desktop Services and may be exploited by sending crafted network requests using RDP. The result could be remote code execution on a victim system without any user authentication or interaction. The vulnerability, CVE-2019-0708, is not known to have been publicly executed, however, expectations are that it will. Follow the Microsoft advisory to patch vulnerable systems -- CVE-2019-0708 | Remote Desktop Services Remote Code Execution Vulnerability.
The RSA Threat Content Team has added detection for NetWitness packet customers based on the work of the NCC Group. To get the detection, update your Decoders with the latest version of the RDP Lua parser (dated May 22nd, 2019).
If an exploit has been detected, meta will be output to the NetWitness Investigation page for
ioc = ‘possible CVE-2019-0708 exploit attempt’
You may also see the exploitation by deploying rules to the NetWitness ESA product and viewing the Respond workflow for alerts. Deploy the following rules from Live to ESA:
- RDP Inbound
- RDP from Same Source to Multiple Destinations
RDP Inbound may catch the initial connection from the attacker. It’s expected the infection would be worm-like moving to internally networked systems. In that case, the second rule, RDP from Same Source to Multiple Destinations, may catch the behavior. Please note you must be monitoring lateral traffic within your network for this detection.
"CVE-2019-0708 | Remote Desktop Services Remote Code Execution Vulnerability.” Microsoft, May 14, 2019, https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
- IIascu, Ionut. "BlueKeep Remote Desktop Exploits Are Coming, Patch Now!", May 20, 2019, https://www.bleepingcomputer.com/news/security/bluekeep-remote-desktop-exploits-are-coming-patch-now/
- NCC Group. May 21, 2019, https://github.com/nccgroup/Cyber-Defence/blob/master/Signatures/suricata/2019_05_rdp_cve_2019_0708.txt