CVE-2019-0708 – BlueKeep – Monitoring By SIEM

Bluekeep is a critical vulnerability that allows an attacker to send malicious packets to a vulnerable target over RDP and remotely execute commands with elevated privileges.

The vulnerability occurs during pre-authorization and does not require any user interaction, which makes it really critical.

image

This vulnerability will affect these OS versions:

Windows 2003

Windows XP

Windows Vista

Windows 7

Windows Server 2008

Windows Server 2008 R2

We strongly recommend patching the network’s devices and upgrade unsupported platforms.

Link to MSRC to download the relevant patch:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

Technical Details

We ran this POC:

https://github.com/Ekultek/BlueKeep

which created an event log with the following details:

Event ID: 4005

Name: Microsoft-Windows-Winlogon 

The packages are based on this event log.

Before installing the packages

Ensure collecting the event log 4005 from the network’s devices by using WEF.

Collecting the logs only from DC will not be enough.

Note that event 4005 is an Application event – most SIEM systems only collect the security events, so make sure to configure it as well.

Download:

GitHub:

https://github.com/cyray/Cyray-IR/tree/master/CVE-2019-0708_BlueKeep

Directly from this site:
ArcSight:

https://www.cyray.com/download/cve-2019-0708-bluekeep-arcsight

QRadar:

https://www.cyray.com/download/cve-2019-0708-bluekeep-qradar

ArcSight Package:

The package mechanism contains a standard rule – when triggered, it adds the relevant fields into an active list – to feed a dashboard to get an overview without sending alerts.

After installing the package and giving the mechanism run for a while, we recommend adding an alert to the rule.

QRadar Package:

Custom property for the event 4005

 

Rule – the role doesn’t create an offense.

We recommend modifying it after it runs for a while, depending on your environment.

 


Important – These packages will work properly in optimized environments only. Make sure the event collection is configured properly – without any data loss or delays.

You are welcome to contact us for any further details.


 

Maayan Shlomo – maayan@cyray.com

Michael Vashinsky – michaelv@cyray.com

 

 admin
Author
author
Share This Story, Choose Your Platform