CVE-2019-0708 - Osquery - Detect Internet-exposed RDP endpoints, <= Windows 2008 R2 / Win7

## Internet-Exposed-RDP.sql
-- CVE-2019-0708 - Queries for 2008 R2 / Win7 & below systems that have RDP exposed publicly (remote_address is not internal IP)
-- Modified From: @gepeto42 - https://twitter.com/gepeto42/status/1128383095428743172
-- If you use 172.16/22 internally, you will need to tweak this

SELECT process_open_sockets.remote_address, os_version.name
FROM process_open_sockets CROSS JOIN os_version
WHERE process_open_sockets.local_port=3389
AND process_open_sockets.remote_address NOT LIKE '10.%'
AND process_open_sockets.remote_address NOT LIKE '172.16%'
AND process_open_sockets.remote_address NOT LIKE '192.168%'
AND process_open_sockets.remote_address NOT LIKE '0.0.0.0'
AND process_open_sockets.remote_address NOT LIKE '::'
AND process_open_sockets.remote_address NOT LIKE '0'
AND os_version.major < 7
AND os_version.minor < 2;
	-- CVE-2019-0708 - Queries for 2008 R2 / Win7 & below systems that have RDP exposed publicly (remote_address is not internal IP)
	-- Modified From: @gepeto42 - https://twitter.com/gepeto42/status/1128383095428743172
	-- If you use 172.16/22 internally, you will need to tweak this

	SELECT process_open_sockets.remote_address, os_version.name
	FROM process_open_sockets CROSS JOIN os_version
	WHERE process_open_sockets.local_port=3389
	AND process_open_sockets.remote_address NOT LIKE '10.%'
	AND process_open_sockets.remote_address NOT LIKE '172.16%'
	AND process_open_sockets.remote_address NOT LIKE '192.168%'
	AND process_open_sockets.remote_address NOT LIKE '0.0.0.0'
	AND process_open_sockets.remote_address NOT LIKE '::'
	AND process_open_sockets.remote_address NOT LIKE '0'
	AND os_version.major < 7
	AND os_version.minor < 2;