Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
CVE-2019-0708 - Osquery - Detect Internet-exposed RDP endpoints, <= Windows 2008 R2 / Win7
-- CVE-2019-0708 - Queries for 2008 R2 / Win7 & below systems that have RDP exposed publicly (remote_address is not internal IP)
-- Modified From: @gepeto42 - https://twitter.com/gepeto42/status/1128383095428743172
-- If you use 172.16/22 internally, you will need to tweak this
SELECT process_open_sockets.remote_address, os_version.name
FROM process_open_sockets CROSS JOIN os_version
WHERE process_open_sockets.local_port=3389
AND process_open_sockets.remote_address NOT LIKE '10.%'
AND process_open_sockets.remote_address NOT LIKE '172.16%'
AND process_open_sockets.remote_address NOT LIKE '192.168%'
AND process_open_sockets.remote_address NOT LIKE '0.0.0.0'
AND process_open_sockets.remote_address NOT LIKE '::'
AND process_open_sockets.remote_address NOT LIKE '0'
AND os_version.major < 7
AND os_version.minor < 2;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.