CVE-2019-0708 BlueKeep - SIEM Content Packages
Bluekeep is a critical vulnerability that allows an attacker to send malicious packets to a vulnerable target over RDP and remotely execute commands with elevated privileges.
The vulnerability occurs during pre-authorization and does not require any user interaction, which makes it really critical.
This vulnerability will affect these OS versions:
Windows Server 2008
Windows Server 2008 R2
We strongly recommend patching the network’s devices and upgrade unsupported platforms.
Link to MSRC to download the relevant patch:
We ran this POC:
which created an event log with the following details:
Event ID: 4005
The packages are based on this event log.
Before installing the packages
Ensure collecting the event log 4005 from the network’s devices by using WEF.
Collecting the logs only from DC will not be enough.
Note that event 4005 is an Application event – most SIEM systems only collect the security events, so make sure to configure it as well.
Directly from this site:
The package mechanism contains a standard rule – when triggered, it adds the relevant fields into an active list – to feed a dashboard to get an overview without sending alerts.
After installing the package and giving the mechanism run for a while, we recommend adding an alert to the rule.
Custom property for the event 4005
Rule – the role doesn’t create an offense.
We recommend modifying it after it runs for a while, depending on your environment.
Important – These packages will work properly in optimized environments only. Make sure the event collection is configured properly – without any data loss or delays.
You are welcome to contact us for any further details.
Maayan Shlomo – [email protected]
Michael Vashinsky – [email protected]