Adversaries may exploit the BlueKeep vulnerability to deploy cryptocurrency mining malware on unpatched Windows systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential resource exhaustion and financial loss from unauthorized mining activities.
KQL Query
// Suggest setting Timestamp starting from September 6th
// when the BlueKeep Metasploit module was released
DeviceFileEvents
| where Timestamp > ago(7d)
| where FolderPath endswith "spool\\svchost.exe"
or SHA1=="82288c2dc5c63c1c57170da91f9979648333658e"
id: 2bf77176-1b8a-4466-9b64-6b9fd4023fa5
name: detect-bluekeep-related-mining
description: |
This query was originally published in the threat analytics report, Exploitation of CVE-2019-0708 (BlueKeep).
CVE-2019-0708, also known as BlueKeep, is a critical remote code execution vulnerability involving RDP. Soon after its disclosure, the NSA issued a rare advisory about this vulnerability, out of concern that it could be used to quickly spread malware. Attackers have since used this vulnerability to install cryptocurrency miners on targets.
Microsoft has issued updates for this vulnerability, as well as guidance for protecting operating systems that we no longer support. Microsoft Defender ATP also contains behavioral detections for defending against this threat.
The following query locates devices where the known coin miner payload was dropped.
References:
https://nvd.nist.gov/vuln/detail/CVE-2019-0708
https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/1865726/nsa-cybersecurity-advisory-patch-remote-desktop-services-on-legacy-versions-of/
https://www.wired.com/story/bluekeep-hacking-cryptocurrency-mining/
https://portal.msrc.microsoft.com/security-guidance/advisory/CVE-2019-0708
https://support.microsoft.com/help/4500705/customer-guidance-for-cve-2019-0708
https://www.microsoft.com/security/blog/2019/11/07/the-new-cve-2019-0708-rdp-exploit-attacks-explained/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileEvents
tactics:
- Execution
query: |
// Suggest setting Timestamp starting from September 6th
// when the BlueKeep Metasploit module was released
DeviceFileEvents
| where Timestamp > ago(7d)
| where FolderPath endswith "spool\\svchost.exe"
or SHA1=="82288c2dc5c63c1c57170da91f9979648333658e"
| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task running as part of routine system maintenance (e.g., Windows Update or disk cleanup) may trigger the rule due to network activity or process execution.
Filter/Exclusion: process.name != "schtasks.exe" OR process.name != "wuauclt.exe"
Scenario: Antivirus or Endpoint Protection Scan
Description: Antivirus tools like Kaspersky, Bitdefender, or Malwarebytes may perform deep scans that involve network communication or memory analysis, which could be flagged by the rule.
Filter/Exclusion: process.name IN ("kavsvc.exe", "bdagent.exe", "mbam.exe")
Scenario: Remote Desktop Services (RDP) Session
Description: A legitimate RDP session might involve network traffic that resembles exploit activity, especially if the session is using non-standard ports or has unusual behavior.
Filter/Exclusion: process.name == "mstsc.exe" OR destination.port IN (3389, 5985)
Scenario: PowerShell Script for System Monitoring
Description: A system administrator may use PowerShell scripts (e.g., Get-EventLog, Get-Service) for monitoring or troubleshooting, which could trigger the rule due to process execution or network calls.
Filter/Exclusion: process.name == "powershell.exe" AND user.name == "Administrator"
Scenario: Database Backup Job
Description: A scheduled database backup job (e.g., using SQL Server Agent or MySQL Dump) may involve network communication or file operations that resemble malicious activity.
Filter/Exclusion: `process.name == “sqlservr.exe” OR process.name == “mysqld.exe” OR process.name