Adversaries may attempt to exploit the BlueKeep vulnerability (CVE-2019-0708) by leveraging outdated Windows Remote Desktop Protocol services to execute arbitrary code remotely. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential remote code execution threats before they cause widespread damage.
KQL Query
DeviceNetworkEvents
| where InitiatingProcessFileName =~ "spoolsv.exe"
| where RemotePort == "3389"
id: e380a30d-03ff-4d20-b2d5-d0683033d813
name: detect-bluekeep-exploitation-attempts
description: |
This query was originally published in the threat analytics report, Exploitation of CVE-2019-0708 (BlueKeep).
CVE-2019-0708, also known as BlueKeep, is a critical remote code execution vulnerability involving RDP. Soon after its disclosure, the NSA issued a rare advisory about this vulnerability, out of concern that it could be used to quickly spread malware. Attackers have since used this vulnerability to install cryptocurrency miners on targets.
Microsoft has issued updates for this vulnerability, as well as guidance for protecting operating systems that we no longer support. Microsoft Defender ATP also contains behavioral detections for defending against this threat.
The following query detects devices with RDP connections that could be exploitation attempts.
References:
https://nvd.nist.gov/vuln/detail/CVE-2019-0708
https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/1865726/nsa-cybersecurity-advisory-patch-remote-desktop-services-on-legacy-versions-of/
https://www.wired.com/story/bluekeep-hacking-cryptocurrency-mining/
https://portal.msrc.microsoft.com/security-guidance/advisory/CVE-2019-0708
https://support.microsoft.com/help/4500705/customer-guidance-for-cve-2019-0708
https://www.microsoft.com/security/blog/2019/11/07/the-new-cve-2019-0708-rdp-exploit-attacks-explained/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
tactics:
- Initial access
- Lateral movement
query: |
DeviceNetworkEvents
| where InitiatingProcessFileName =~ "spoolsv.exe"
| where RemotePort == "3389"
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task running on a Windows Server using schtasks.exe or Task Scheduler may trigger the rule due to outbound traffic to the BlueKeep port (445).
Filter/Exclusion: Exclude traffic originating from known system maintenance tasks (e.g., schtasks.exe, Task Scheduler) or filter by process name: process.name != "schtasks.exe" and process.name != "TaskScheduler"
Scenario: Remote Desktop Protocol (RDP) Session
Description: An RDP session using mstsc.exe may generate traffic to port 445, which could be misinterpreted as a BlueKeep exploit attempt.
Filter/Exclusion: Exclude traffic associated with RDP sessions by checking the process name: process.name != "mstsc.exe" or filter by destination port: destination.port != 445
Scenario: Windows Update or Patching Process
Description: Windows Update or patching tools like wusa.exe or WindowsUpdate.exe may communicate with Microsoft servers over port 445, triggering the rule.
Filter/Exclusion: Exclude traffic from known update processes: process.name != "wusa.exe" and process.name != "WindowsUpdate.exe"
Scenario: Network Discovery or NetBIOS Activity
Description: Legitimate network discovery or NetBIOS activity (e.g., nbtstat.exe, net.exe) may result in traffic to port 445.
Filter/Exclusion: Exclude traffic from NetBIOS or network discovery tools: process.name != "nbtstat.exe" and process.name != "net.exe"
Scenario: Antivirus or Security Software Scanning
Description: Antivirus or endpoint protection tools (e