title: Potential RDP exploit CVE-2019-0708 description: Detect suspicious error on protocol RDP, potential CVE-2019-0708 references: - https://github.com/zerosum0x0/CVE-2019-0708 - https://github.com/Ekultek/BlueKeep tags: - attack.initial_access - attack.lateral_movement - attack.t1210 - attack.t1190 - car.2013-07-002 status: experimental author: "Lionel PRAT, Christophe BROCAS, @atc_project (improvements)" logsource: product: windows service: system detection: selection: EventID: - 56 - 50 Source: TermDD condition: selection falsepositives: - Bad connections or network interruptions level: high