Leave us a Message:

CVE-2019-0708 – BlueKeep – Monitoring By SIEM

Share on facebook
Share on linkedin
Share on twitter
Share on whatsapp
Share on email

CVE-2019-0708 BlueKeep - SIEM Content Packages

Bluekeep is a critical vulnerability that allows an attacker to send malicious packets to a vulnerable target over RDP and remotely execute commands with elevated privileges.

The vulnerability occurs during pre-authorization and does not require any user interaction, which makes it really critical.

This vulnerability will affect these OS versions:

Windows 2003

Windows XP

Windows Vista

Windows 7

Windows Server 2008

Windows Server 2008 R2

We strongly recommend patching the network’s devices and upgrade unsupported platforms.

Link to MSRC to download the relevant patch:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

 

Technical Details

We ran this POC:

https://github.com/Ekultek/BlueKeep

which created an event log with the following details:

Event ID: 4005

Name: Microsoft-Windows-Winlogon 

The packages are based on this event log.

 

Before installing the packages

Ensure collecting the event log 4005 from the network’s devices by using WEF.

Collecting the logs only from DC will not be enough.

Note that event 4005 is an Application event – most SIEM systems only collect the security events, so make sure to configure it as well.

 

Download:

GitHub:

https://github.com/cybersiem/CyberSIEM-IR/tree/master/CVE-2019-0708_BlueKeep

 
Directly from this site:
ArcSight:

https://www.cybersiem.com/download/cve-2019-0708-bluekeep-arcsight

QRadar:

https://www.cybersiem.com/download/cve-2019-0708-bluekeep-qradar

 

ArcSight Package:

The package mechanism contains a standard rule – when triggered, it adds the relevant fields into an active list – to feed a dashboard to get an overview without sending alerts.

After installing the package and giving the mechanism run for a while, we recommend adding an alert to the rule.

 

QRadar Package:

Custom property for the event 4005

 

Rule – the role doesn’t create an offense.

We recommend modifying it after it runs for a while, depending on your environment.

 


Important – These packages will work properly in optimized environments only. Make sure the event collection is configured properly – without any data loss or delays.

You are welcome to contact us for any further details.


 

Maayan Shlomo – [email protected]

Michael Vashinsky – [email protected]

Share this post

Share on facebook
Share on linkedin
Share on twitter
Share on whatsapp
Share on email
Maayan Shlomo

Maayan Shlomo

Leave a Reply

About Us

We increase the security of organizational information and anticipate threats before they cause damage, and improve the level of protection of organizational information, by providing end-to-end SIEM solution.

Recent Posts

Skip to content