Add rule for CVE-2019-0708

2024-11-06 17:35:19 +00:00 · 2019-05-24 10:01:19 +02:00 · 2019-05-24 10:01:19 +02:00 · f65f693a88
commit f65f693a88
parent 7b63c92fc0
1 changed files with 20 additions and 0 deletions
--- a/rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml
+++ b/rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml
@ -0,0 +1,20 @@
+title: Potential RDP exploit CVE-2019-0708
+description: Detect suspicious error on protocol RDP, potential CVE-2019-0708
+references:
+    - https://github.com/zerosum0x0/CVE-2019-0708
+tags:
+    - attack.initial_access
+status: experimental
+author: Lionel PRAT, Christophe BROCAS
+logsource:
+    product: windows
+    service: system
+detection:
+    selection:
+        EventID: 56
+        Source: TermDD
+    condition: selection
+falsepositives:
+    - Unknown
+level: critical
+