ExtraHop - CVE-2019-0708 (BlueKeep)

This server received a Remote Desktop Protocol (RDP) connection request that is consistent with a known vulnerability, also known as BlueKeep, in older versions of Microsoft Windows. This vulnerability allows an unauthenticated attacker to remotely run arbitrary code on an RDP server. The attacker can then tamper with data or install malware that could propagate to other Windows devices across the network. Investigate to determine if this server is hosting a version affected by CVE-2019-0708: Windows 7, Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008. MITIGATION OPTIONS - Disable Remote Desktop Services if they are not required - Implement Network Level Authentication (NLA) on systems running supported versions of Windows 7, Windows Server 2008, and Windows Server 2008 R2 - Configure firewalls to block traffic on TCP port 3389

ExtraHop Reveal(x) · 10 tasks · 1 input · 4 outputs

Inputs

  • AutoBlockIp — Enable the "Block IP" capability automatically (can be either "True" or "False"). The "Block IP" sub-playbook will block the offender IP address in the relevant integrations.

Outputs

  • CVE — Details on the CVE.
  • ExtraHop.Device — Details on the host and any peer devices found.
  • ExtraHop.ActivityMap — The link to a visual activity map in ExtraHop.
  • ExtraHop.Record.Source — Associated transaction records from ExtraHop.

Commands used

cve extrahop-packets-search

Flowchart

yes Yes yes Start Start Done Done Is ExtraHop Reveal(x) enabled? - Exists Is ExtraHop Reveal(x) ena... Exists Run CVE search for BlueKeep vulnerability - cve Run CVE search for BlueKe... cve ExtraHop - Get Peers by Host - ExtraHop - Get Peers by Host ExtraHop - Get Peers by Host ExtraHop - Get Peers by Host Email team to block offender IP address Email team to block offen... Guided investigation steps and mitigation options Guided investigation step... Get associated PCAP file from ExtraHop Reveal(x) - extrahop-packets-search Get associated PCAP file ... extrahop-packets-search Block IP - Generic v2 - Block IP - Generic v2 Block IP - Generic v2 Block IP - Generic v2 Automatically block the offender IP address? Automatically block the o...