SigmaHQ/rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml

title: Potential RDP exploit CVE-2019-0708
description: Detect suspicious error on protocol RDP, potential CVE-2019-0708
references:
    - https://github.com/zerosum0x0/CVE-2019-0708
tags:
    - attack.initial_access
    - car.2013-07-002
status: experimental
author: Lionel PRAT, Christophe BROCAS
logsource:
    product: windows
    service: system
detection:
    selection:
        EventID: 56
        Source: TermDD
    condition: selection
falsepositives:
    - Bad connections or network interruptions
level: high
Add rule for CVE-2019-0708 2019-05-24 08:01:19 +00:00			`title: Potential RDP exploit CVE-2019-0708`
			`description: Detect suspicious error on protocol RDP, potential CVE-2019-0708`
			`references:`
			`- https://github.com/zerosum0x0/CVE-2019-0708`
			`tags:`
			`- attack.initial_access`
First Pass 2019-06-14 04:15:38 +00:00			`- car.2013-07-002`
Add rule for CVE-2019-0708 2019-05-24 08:01:19 +00:00			`status: experimental`
			`author: Lionel PRAT, Christophe BROCAS`
			`logsource:`
			`product: windows`
			`service: system`
			`detection:`
			`selection:`
			`EventID: 56`
			`Source: TermDD`
			`condition: selection`
			`falsepositives:`
FP adjustments We have checked the False Positive rate in different environments and noticed these event IDs in cases in which systems had bad network connections / we accessed via VPN. Therefore we reduced the level to "high" and added that note to the "False Positives" list. 2019-05-27 06:54:18 +00:00			`- Bad connections or network interruptions`
			`level: high`
Add rule for CVE-2019-0708 2019-05-24 08:01:19 +00:00