ET EXPLOIT [NCC GROUP] Possible Bluekeep Inbound RDP Exploitation Attempt (CVE-2019-0708)

SID: 2027369Rev: 30 views
History
Sourceet/open
CreatedMay 21, 2019
UpdatedJuly 26, 2019
Classificationattempted-admin
alert tcp any any -> any 3389 (msg:"ET EXPLOIT [NCC GROUP] Possible Bluekeep Inbound RDP Exploitation Attempt (CVE-2019-0708)"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|02 f0|"; distance:2; within:2; content:"|00 05 00 14 7c 00 01|"; within:512; content:"|03 c0|"; distance:3; within:384; content:"MS_T120|00|"; distance:6; within:372; nocase; fast_pattern; threshold:type limit, track by_src, count 2, seconds 600; reference:cve,CVE-2019-0708; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708; reference:url,github.com/nccgroup/Cyber-Defence/blob/master/Signatures/suricata/2019_05_rdp_cve_2019_0708.txt; classtype:attempted-admin; sid:2027369; rev:3; metadata:attack_target Client_and_Server, created_at 2019_05_21, deployment Perimeter, deployment Internet, deployment Internal, malware_family Bluekeep, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2019_07_26;)

References

cveCVE-2019-0708
urlportal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
urlgithub.com/nccgroup/Cyber-Defence/blob/master/Signatures/suricata/2019_05_rdp_cve_2019_0708.txt

Metadata

attack targetClient_and_Server
created at2019_05_21
deploymentInternal
malware familyBluekeep
confidenceMedium
signature severityMajor
tagCISA_KEV
updated at2019_07_26

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!