Indicators of compromise from Ransomware targeting CVE-2019-0708

Indicators of compromise from Ransomware targeting CVE-2019-0708

Prevent a worm by updating Remote Desktop Services (CVE-2019-0708)

 Microsoft released fixes for a critical Remote Code Execution vulnerability, CVE-2019-0708, in Remote Desktop Services – formerly known as Terminal Services – that affects some older versions of Windows. The Remote Desktop Protocol (RDP) itself is not vulnerable. This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017. While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware. 

CVE-2019-0708 Details -- Description: A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Remote Desktop Services Remote Code Execution Vulnerability'.

The ArcSight Content has been created with ESM 7 Version and tested on the same platform. The content should be compatible with older versions of ESM/Express versions as well.

2019-06-10 12_53_57-ArcSight Console [vm-esm700-demo_admin.ast] Limited validity licens.jpg

2019-06-10 12_32_27-ArcSight Console [vm-esm700-demo_admin.ast] Limited validity licens.jpg

This RULE can be used in conjunction with other alerts related to Windows Events and SYSMON Events. They provide more details about the RDP sessions.


Labels (3)


Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.

Dear All,

I had created the content from ESM 7 and didn't get chance to test on older versions. From compatibility stand point I mentioned that it should be able to work. However it seems that it isn't compatible with older versions. So it's only valid for ESM 7.X customers.

Apologies for the inconvenience.


Pavan Raja

Top Contributors
Version history
Revision #:
4 of 4
Last update:
‎2019-06-10 11:35
Updated by:
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.