Author: [email protected]

As the Metasploit Bluekeep exploit module released to the public in few days ago, that’s lets me experiment the exploit and analyze the network traffic and logs generated.

This article will demonstrate quick PoC video and will explain the initial RDP connection sequence of the exploit, and provide detection methods in the wire and host level.

Vulnerability Overview

CVE-2019-0708 or Bluekeep is a vulnerability in Windows remote desktop service (RDP) that allows an attacker to execute unauthenticated arbitrary code in the target machine.

PoC

in the above video showing the exploit using Metasploit framework against Windows 7 SP1 ruining in VirtualBox. exploit module Groomsize setting of 150 used and worked for me.

Continue reading “Metasploit BlueKeep CVE-2019-0708 Exploit Logs Analysis and Detection” →

I decided to write this blog because I did not notice anyone publish any real detection methods or network/host forensics analysis yet until now. I will not talk about how the exploit works, but I will try to demonstrate quick PoC and analyze logs generated by that exploit and will provide some detection methods for the early stages of the attack.

If you want to read more about the exploit and how it works, I advise to read the below articles:

https://www.zerodayinitiative.com/blog/2019/3/13/cve-2019-0604-details-of-a-microsoft-sharepoint-rce-vulnerability
https://x3fwy.bitcron.com/post/sharepoint-rce-explained

Quick PoC

In the above video you will see I’m doing the exploit and executing remote command and creating new process in the server side by sending a crafted HTTP POST request with particular path and payload parameter value.

Continue reading “CVE-2019-0604: SharePoint RCE Forensics Analysis And Detection Methods” →