CVE-2019-0708 – BlueKeep – Monitoring By SIEM

Bluekeep is a critical vulnerability that allows an attacker to send malicious packets to a vulnerable target over RDP and remotely execute commands with elevated privileges.

The vulnerability occurs during pre-authorization and does not require any user interaction, which makes it really critical.

image

This vulnerability will affect these OS versions:

Windows 2003

Windows XP

Windows Vista

Windows 7

Windows Server 2008

Windows Server 2008 R2

We strongly recommend patching the network’s devices and upgrade unsupported platforms.

Link to MSRC to download the relevant patch:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

Technical Details

We ran this POC:

https://github.com/Ekultek/BlueKeep

which created an event log with the following details:

Event ID: 4005

Name: Microsoft-Windows-Winlogon 

The packages are based on this event log.

Before installing the packages

Ensure collecting the event log 4005 from the network’s devices by using WEF.

Collecting the logs only from DC will not be enough.

Note that event 4005 is an Application event – most SIEM systems only collect the security events, so make sure to configure it as well.

Download:

GitHub:

https://github.com/cyray/Cyray-IR/tree/master/CVE-2019-0708_BlueKeep

Directly from this site:
ArcSight:

https://www.cyray.com/download/cve-2019-0708-bluekeep-arcsight

QRadar:

https://www.cyray.com/download/cve-2019-0708-bluekeep-qradar

ArcSight Package:

The package mechanism contains a standard rule – when triggered, it adds the relevant fields into an active list – to feed a dashboard to get an overview without sending alerts.

After installing the package and giving the mechanism run for a while, we recommend adding an alert to the rule.

QRadar Package:

Custom property for the event 4005

 

Rule – the role doesn’t create an offense.

We recommend modifying it after it runs for a while, depending on your environment.

 

Important – These packages will work properly in optimized environments only. Make sure the event collection is configured properly – without any data loss or delays.

You are welcome to contact us for any further details.

 

Maayan Shlomo – [email protected]

Michael Vashinsky – [email protected]

 

idoh
Author
idoh
Share This Story, Choose Your Platform
You Might Also Like
How to use a Grid Field​
SOAR
How to use a Grid Field​
How to use a grid field In this post, our SOAR expert, Mr.Ben Aviv, will demonstrate how to use a grid field in XSOAR (Demisto).
3
439
0
Active List With Dynamic TTL
Arcsight tools
Active List With Dynamic TTL
We should pay attention to each and every nested group that is a member of our sensitive groups, to ensure that we will know about every user that inherits these kinds of permissions.
0
238
0
Delete Multiple Cases – ArcSight Tool
Arcsight tools
Delete Multiple Cases – ArcSight Tool
We should pay attention to each and every nested group that is a member of our sensitive groups, to ensure that we will know about every user that inherits these kinds of permissions.
0
223
0

Time to market

One-day SIEM integration

Learn more