added detect-bluekeep-exploitation-attempts.md

martyav · martyav · commit 2a889be93275 · 2020-07-14T18:00:04.000-04:00
diff --git a/Initial access/detect-bluekeep-exploitation-attempts.md b/Initial access/detect-bluekeep-exploitation-attempts.md
@@ -0,0 +1,43 @@
+# Detect BlueKeep exploitation attempts
+
+This query was originally published in the threat analytics report, *Exploitation of CVE-2019-0708 (BlueKeep)*.
+
+[CVE-2019-0708](https://nvd.nist.gov/vuln/detail/CVE-2019-0708), also known as BlueKeep, is a critical remote code execution vulnerability involving RDP. Soon after its disclosure, the NSA issued a rare [advisory](https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/1865726/nsa-cybersecurity-advisory-patch-remote-desktop-services-on-legacy-versions-of/) about this vulnerability, out of concern that it could be used to quickly spread malware. Attackers have since used this vulnerability to [install cryptocurrency miners](https://www.wired.com/story/bluekeep-hacking-cryptocurrency-mining/) on targets.
+
+Microsoft has issued [updates](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708) for this vulnerability, as well as [guidance](https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708) for protecting operating systems that we no longer support. Microsoft Defender ATP also contains [behavioral detections](https://www.microsoft.com/security/blog/2019/11/07/the-new-cve-2019-0708-rdp-exploit-attacks-explained/) for defending against this threat.
+
+The following query detects devices with RDP connections that could be exploitation attempts.
+
+## Query
+
+```Kusto
+DeviceNetworkEvents
+| where InitiatingProcessFileName =~ "spoolsv.exe"
+| where RemotePort == "3389"
+```
+
+## Category
+
+This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
+
+| Technique, tactic, or state | Covered? (v=yes) | Notes |
+|------------------------|----------|-------|
+| Initial access | v |  |
+| Execution |  |  |
+| Persistence |  |  |
+| Privilege escalation |  |  |
+| Defense evasion |  |  |
+| Credential Access |  |  |
+| Discovery |  |  |
+| Lateral movement | v |  |
+| Collection |  |  |
+| Command and control |  |  |
+| Exfiltration |  |  |
+| Impact |  |  |
+| Vulnerability |  |  |
+| Misconfiguration |  |  |
+| Malware, component |  |  |
+
+## Contributor info
+
+**Contributor:** Microsoft Threat Protection team
