CVE-2019-0708 - Osquery - Detect Internet-exposed RDP endpoints, <= Windows 2008 R2 / Win7
-- CVE-2019-0708 - Queries for 2008 R2 / Win7 & below systems that have RDP exposed publicly (remote_address is not internal IP) | |
-- Modified From: @gepeto42 - https://twitter.com/gepeto42/status/1128383095428743172 | |
-- If you use 172.16/22 internally, you will need to tweak this | |
SELECT process_open_sockets.remote_address, os_version.name | |
FROM process_open_sockets CROSS JOIN os_version | |
WHERE process_open_sockets.local_port=3389 | |
AND process_open_sockets.remote_address NOT LIKE '10.%' | |
AND process_open_sockets.remote_address NOT LIKE '172.16%' | |
AND process_open_sockets.remote_address NOT LIKE '192.168%' | |
AND process_open_sockets.remote_address NOT LIKE '0.0.0.0' | |
AND process_open_sockets.remote_address NOT LIKE '::' | |
AND process_open_sockets.remote_address NOT LIKE '0' | |
AND os_version.major < 7 | |
AND os_version.minor < 2; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment