ATTACK [PTsecurity] MS RDP CredSSP Remote Code Execution MitM (CVE-2018-0886)
Sourceptresearch/attackdetection
CreatedDecember 13, 2021
UpdatedDecember 13, 2021
Classificationattempted-admin
alert tcp $HOME_NET 3389 -> any any (msg:"ATTACK [PTsecurity] MS RDP CredSSP Remote Code Execution MitM (CVE-2018-0886)"; flow:established, from_server, only_stream; content:"|16 03|"; content:"|0B|"; distance:3; within:1; content:"|06 09 2a 86 48 86 f7 0d 01 01 01|"; distance:0; content:"D|00|i|00|s|00|a|00|l|00|l|00|o|00|w|00|S|00|t|00|a|00|r|00|t|00|I|00|f|00|O|00|n|00|B|00|a|00|t|00|t|00|e|00|r|00|i|00|e|00|s|00|"; nocase; distance:0; content:"E|00|x|00|e|00|c|00|"; nocase; distance:0; content:"C|00|o|00|m|00|m|00|a|00|n|00|d|00|"; nocase; distance:0; reference:cve, 2018-0886; reference:url, blog.preempt.com/how-we-exploited-the-authentication-in-ms-rdp; classtype:attempted-admin; reference:url, github.com/ptresearch/AttackDetection; sid:10002831; rev:1;)
References
Comments (0)
Please sign in to leave a comment.
Sign inNo comments yet. Be the first to comment!