ExtraHop - CVE-2019-0708 (BlueKeep)
This server received a Remote Desktop Protocol (RDP) connection request that is consistent with a known vulnerability, also known as BlueKeep, in older versions of Microsoft Windows. This vulnerability allows an unauthenticated attacker to remotely run arbitrary code on an RDP server. The attacker can then tamper with data or install malware that could propagate to other Windows devices across the network. Investigate to determine if this server is hosting a version affected by CVE-2019-0708: Windows 7, Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008. MITIGATION OPTIONS - Disable Remote Desktop Services if they are not required - Implement Network Level Authentication (NLA) on systems running supported versions of Windows 7, Windows Server 2008, and Windows Server 2008 R2 - Configure firewalls to block traffic on TCP port 3389
ExtraHop Reveal(x) · 10 tasks · 1 input · 4 outputs
Inputs
AutoBlockIp— Enable the "Block IP" capability automatically (can be either "True" or "False"). The "Block IP" sub-playbook will block the offender IP address in the relevant integrations.
Outputs
CVE— Details on the CVE.ExtraHop.Device— Details on the host and any peer devices found.ExtraHop.ActivityMap— The link to a visual activity map in ExtraHop.ExtraHop.Record.Source— Associated transaction records from ExtraHop.
Commands used
cve
extrahop-packets-search