Adversaries may be leveraging the BlueKeep vulnerability (CVE-2019-0708) to establish remote code execution capabilities within an Azure environment. SOC teams should proactively hunt for this behavior to identify and mitigate potential long-term persistence and lateral movement threats.
KQL Query
// Suggest setting Timestamp starting from September 6th
// when the BlueKeep Metasploit module was released
let IPs = pack_array("109.176.117.11", "5.100.251.106",
"217.23.5.20", "5.135.199.19");
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteIP in(IPs)
id: 6b2d0b6e-ec4a-4d71-b1cc-dbc470d2b99e
name: c2-bluekeep
description: |
This query was originally published in the threat analytics report, Exploitation of CVE-2019-0708 (BlueKeep).
CVE-2019-0708, also known as BlueKeep, is a critical remote code execution vulnerability involving RDP. Soon after its disclosure, the NSA issued a rare advisory about this vulnerability, out of concern that it could be used to quickly spread malware. Attackers have since used this vulnerability to install cryptocurrency miners on targets.
Microsoft has issued updates for this vulnerability, as well as guidance for protecting operating systems that we no longer support. Microsoft Defender ATP also contains behavioral detections for defending against this threat.
The following query locates devices that have communicated with attacker infrastructure associated with BlueKeep-related cryptomining.
References:
https://nvd.nist.gov/vuln/detail/CVE-2019-0708
https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/1865726/nsa-cybersecurity-advisory-patch-remote-desktop-services-on-legacy-versions-of/
https://www.wired.com/story/bluekeep-hacking-cryptocurrency-mining/
https://portal.msrc.microsoft.com/security-guidance/advisory/CVE-2019-0708
https://support.microsoft.com/help/4500705/customer-guidance-for-cve-2019-0708
https://www.microsoft.com/security/blog/2019/11/07/the-new-cve-2019-0708-rdp-exploit-attacks-explained/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
tactics:
- Command and control
query: |
// Suggest setting Timestamp starting from September 6th
// when the BlueKeep Metasploit module was released
let IPs = pack_array("109.176.117.11", "5.100.251.106",
"217.23.5.20", "5.135.199.19");
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteIP in(IPs)
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate Remote Desktop Services (RDP) Traffic
Description: RDP sessions are common in enterprise environments and may trigger the rule due to similar network behavior to exploit attempts.
Filter/Exclusion: process.name != "mstsc.exe" or process.name != "rdpclip.exe" or destination.port != 3389
Scenario: Scheduled System Maintenance Tasks
Description: Automated tasks like Windows Update or system cleanup may use similar network patterns to exploit attempts.
Filter/Exclusion: process.name != "schtasks.exe" or event_id != 100 (for task scheduler events)
Scenario: Network Discovery Tools in Use
Description: Tools like nmap or arp-scan are used for network inventory and may trigger the rule due to their network scanning behavior.
Filter/Exclusion: process.name != "nmap.exe" or process.name != "arp-scan.exe"
Scenario: Admin Task – Remote PowerShell Execution
Description: Administrators may use PowerShell remoting for legitimate system management, which can resemble exploit traffic.
Filter/Exclusion: process.name != "powershell.exe" or event_id != 4104 (for PowerShell remoting events)
Scenario: False Positive from Legacy System Communication
Description: Older systems or devices may communicate over outdated protocols that match the signature of the BlueKeep exploit.
Filter/Exclusion: source.ip in (list of known internal legacy systems) or destination.ip in (list of known internal legacy systems)