CVE-2019-0708 – BlueKeep – Monitoring By SIEM

Bluekeep is a critical vulnerability that allows an attacker to send malicious packets to a vulnerable target over RDP and remotely execute commands with elevated privileges.

The vulnerability occurs during pre-authorization and does not require any user interaction, which makes it really critical.


This vulnerability will affect these OS versions:

Windows 2003

Windows XP

Windows Vista

Windows 7

Windows Server 2008

Windows Server 2008 R2

We strongly recommend patching the network’s devices and upgrade unsupported platforms.

Link to MSRC to download the relevant patch:

Technical Details

We ran this POC:

which created an event log with the following details:

Event ID: 4005

Name: Microsoft-Windows-Winlogon 

The packages are based on this event log.

Before installing the packages

Ensure collecting the event log 4005 from the network’s devices by using WEF.

Collecting the logs only from DC will not be enough.

Note that event 4005 is an Application event – most SIEM systems only collect the security events, so make sure to configure it as well.



Directly from this site:


ArcSight Package:

The package mechanism contains a standard rule – when triggered, it adds the relevant fields into an active list – to feed a dashboard to get an overview without sending alerts.

After installing the package and giving the mechanism run for a while, we recommend adding an alert to the rule.

QRadar Package:

Custom property for the event 4005


Rule – the role doesn’t create an offense.

We recommend modifying it after it runs for a while, depending on your environment.


Important – These packages will work properly in optimized environments only. Make sure the event collection is configured properly – without any data loss or delays.

You are welcome to contact us for any further details.


Maayan Shlomo – [email protected]

Michael Vashinsky – [email protected]


Share This Story, Choose Your Platform

Time to market

One-day SIEM integration