Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)
title: Terminal Service Process Spawn
id: 1012f107-b8f1-4271-af30-5aed2de89b39
status: test
description: Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)
references:
- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/
author: Florian Roth (Nextron Systems)
date: 2019-05-22
modified: 2023-01-25
tags:
- attack.initial-access
- attack.t1190
- attack.lateral-movement
- attack.t1210
- car.2013-07-002
logsource:
product: windows
category: process_creation
detection:
selection:
ParentCommandLine|contains|all:
- '\svchost.exe'
- 'termsvcs'
filter_img:
Image|endswith:
- '\rdpclip.exe'
- ':\Windows\System32\csrss.exe'
- ':\Windows\System32\wininit.exe'
- ':\Windows\System32\winlogon.exe'
filter_null:
Image: null
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: high
imProcessCreate
| where (ActingProcessCommandLine contains "\\svchost.exe" and ActingProcessCommandLine contains "termsvcs") and (not(((TargetProcessName endswith "\\rdpclip.exe" or TargetProcessName endswith ":\\Windows\\System32\\csrss.exe" or TargetProcessName endswith ":\\Windows\\System32\\wininit.exe" or TargetProcessName endswith ":\\Windows\\System32\\winlogon.exe") or isnull(TargetProcessName))))| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |