Versions (6)
Version DetailsCurrent
Rev: 1 • Jul 24, 2025, 5:44 PMATTACK [PTsecurity] MS RDP CredSSP Remote Code Execution MitM (CVE-2018-0886)
alert tcp any 3389 -> any any (msg:"ATTACK [PTsecurity] MS RDP CredSSP Remote Code Execution MitM (CVE-2018-0886)"; flow:established, from_server, only_stream; content:"|16 03|"; content:"|0B|"; distance:3; within:1; content:"|06 09 2a 86 48 86 f7 0d 01 01 01|"; distance:0; content:"D|00|i|00|s|00|a|00|l|00|l|00|o|00|w|00|S|00|t|00|a|00|r|00|t|00|I|00|f|00|O|00|n|00|B|00|a|00|t|00|t|00|e|00|r|00|i|00|e|00|s|00|"; nocase; distance:0; content:"E|00|x|00|e|00|c|00|"; nocase; distance:0; content:"C|00|o|00|m|00|m|00|a|00|n|00|d|00|"; nocase; distance:0; reference:cve, 2018-0886; reference:url, blog.preempt.com/how-we-exploited-the-authentication-in-ms-rdp; reference:url, rules.ptsecurity.com; classtype:attempted-admin; sid:10002831; rev:1;)
Jul 24, 2025, 5:44 PM
Jul 24, 2025, 5:44 PM
Oct 16, 2025, 10:34 AM
Oct 16, 2025, 10:34 AM
rules/ptopen-attacks.rules