CVE-2019-0708 - Osquery - Detect Internet-exposed RDP endpoints, <= Windows 2008 R2 / Win7

Internet-Exposed-RDP.sql

-- CVE-2019-0708 - Queries for 2008 R2 / Win7 & below systems that have RDP exposed publicly (remote_address is not internal IP)
-- Modified From: @gepeto42 - https://twitter.com/gepeto42/status/1128383095428743172
-- If you use 172.16/22 internally, you will need to tweak this

SELECT process_open_sockets.remote_address, os_version.name 
FROM process_open_sockets CROSS JOIN os_version
WHERE process_open_sockets.local_port=3389
AND process_open_sockets.remote_address NOT LIKE '10.%'
AND process_open_sockets.remote_address NOT LIKE '172.16%'
AND process_open_sockets.remote_address NOT LIKE '192.168%'
AND process_open_sockets.remote_address NOT LIKE '0.0.0.0'
AND process_open_sockets.remote_address NOT LIKE '::'
AND process_open_sockets.remote_address NOT LIKE '0'
AND os_version.major < 7
AND os_version.minor < 2;