28 lines
953 B
Plaintext
28 lines
953 B
Plaintext
# Who When What
|
|
# -----------------------------------------------------------------------------
|
|
# Abye Aytaged 05/10/2020 Initial commit - CVE_2019_0708 Detection. The
|
|
# portion of the RDP session that is likely to be exploited will be in clear text and
|
|
# involves creating a “Static Virtual Channel” named “MS_T120.” This module will
|
|
# log in notice.log whenever it detects an RDP channel with "MS_T120".
|
|
#
|
|
#
|
|
module RDP_CVE_2019_0708;
|
|
|
|
export {
|
|
redef enum Log::ID += { LOG };
|
|
redef enum Notice::Type += { Vulnerable_Version };
|
|
|
|
}
|
|
|
|
event rdp_client_network_data(c: connection, channels: RDP::ClientChannelList)
|
|
{
|
|
for ( i in channels ) {
|
|
if ( channels[i]$name == "MS_T120\x00" )
|
|
{
|
|
NOTICE([$note=RDP_CVE_2019_0708::Vulnerable_Version,
|
|
$msg = fmt("RDP_CVE_2019_0708 - RDP connection setup with MS_T120 channel, potential CVE-2019-0708"),
|
|
$conn = c]);
|
|
}
|
|
}
|
|
}
|