Indicators of compromise from Ransomware targeting CVE-2019-0708
Prevent a worm by updating Remote Desktop Services (CVE-2019-0708)
Microsoft released fixes for a critical Remote Code Execution vulnerability, CVE-2019-0708, in Remote Desktop Services – formerly known as Terminal Services – that affects some older versions of Windows. The Remote Desktop Protocol (RDP) itself is not vulnerable. This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017. While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware.
CVE-2019-0708 Details -- Description: A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Remote Desktop Services Remote Code Execution Vulnerability'.
The ArcSight Content has been created with ESM 7 Version and tested on the same platform. The content should be compatible with older versions of ESM/Express versions as well.
This RULE can be used in conjunction with other alerts related to Windows Events and SYSMON Events. They provide more details about the RDP sessions.