{"id":90173,"date":"2019-11-07T13:05:30","date_gmt":"2019-11-07T21:05:30","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/?p=90173"},"modified":"2023-05-15T23:06:21","modified_gmt":"2023-05-16T06:06:21","slug":"the-new-cve-2019-0708-rdp-exploit-attacks-explained","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/11\/07\/the-new-cve-2019-0708-rdp-exploit-attacks-explained\/","title":{"rendered":"Microsoft works with researchers to detect and protect against new RDP exploits"},"content":{"rendered":"<p>On November 2, 2019, security researcher <a href=\"https:\/\/doublepulsar.com\/bluekeep-exploitation-activity-seen-in-the-wild-bd6ee6e599a6\">Kevin Beaumont<\/a> reported that his <a href=\"https:\/\/msrc-blog.microsoft.com\/2019\/05\/14\/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708\/\">BlueKeep<\/a> honeypot experienced crashes and was likely being exploited. Microsoft security researchers collaborated with Beaumont as well as another researcher, <a href=\"https:\/\/www.kryptoslogic.com\/blog\/2019\/11\/bluekeep-cve-2019-0708-exploitation-spotted-in-the-wild\/\">Marcus Hutchins<\/a>, to investigate and analyze the crashes and confirm that they were caused by a BlueKeep exploit module for the Metasploit penetration testing framework.<\/p>\n<p>BlueKeep is what researchers and the media call <a href=\"https:\/\/msrc-blog.microsoft.com\/2019\/05\/14\/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708\/\">CVE-2019-0708<\/a>, an unauthenticated remote code execution vulnerability in Remote Desktop Services on Windows 7, Windows Server 2008, and Windows Server 2008 R2. Microsoft released a <a href=\"https:\/\/portal.msrc.microsoft.com\/en-US\/security-guidance\/advisory\/CVE-2019-0708\">security<\/a> fix for the vulnerability on May 14, 2019.<\/p>\n<p>While similar vulnerabilities have been abused by worm malware in the past, initial attempts at exploiting this vulnerability involved human operators aiming to penetrate networks via exposed RDP services.<\/p>\n<p>Microsoft had already deployed a behavioral detection for the BlueKeep Metasploit module in early September, so Microsoft Defender ATP customers had protection from this Metasploit module by the time it was used against Beaumont\u2019s honeypot. The module, which appears to be unstable as evidenced by numerous RDP-related crashes observed on the honeypot, triggered the behavioral detection in Microsoft Defender ATP, resulting in the collection of critical signals used during the investigation.<\/p>\n<p>Microsoft security signals showed an increase in RDP-related crashes that are likely associated with the use of the unstable BlueKeep Metasploit module on certain sets of vulnerable machines. We saw:<\/p>\n<ul>\n<li>An increase in RDP service crashes from 10 to 100 daily starting on September 6, 2019, when the Metasploit module was released<\/li>\n<li>A similar increase in memory corruption crashes starting on October 9, 2019<\/li>\n<li>Crashes on external researcher honeypots starting on October 23, 2019<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-90174\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/11\/bluekee-rdp-crashes.png\" alt=\"\" width=\"1202\" height=\"452\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/11\/bluekee-rdp-crashes.png 1202w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/11\/bluekee-rdp-crashes-300x113.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/11\/bluekee-rdp-crashes-768x289.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/11\/bluekee-rdp-crashes-1024x385.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/11\/bluekee-rdp-crashes-1200x452.png 1200w\" sizes=\"(max-width: 1202px) 100vw, 1202px\" \/><\/p>\n<p style=\"text-align: center;\"><em>Figure 1. Increase in RDP-related service crashes when the Metasploit module was released<\/em><\/p>\n<h2>Coin miner campaign using BlueKeep exploit<\/h2>\n<p>After extracting indicators of compromise and pivoting to various related signal intelligence, Microsoft security researchers found that an earlier coin mining campaign in September used a main implant that contacted the same command-and-control infrastructure used during the October BlueKeep Metasploit campaign, which, in cases where the exploit did not cause the system to crash, was also observed installing a coin miner. This indicated that the same attackers were likely responsible for both coin mining campaigns\u2014they have been actively staging coin miner attacks and eventually incorporated the BlueKeep exploit into their arsenal.<\/p>\n<p>Our machine learning models flagged the presence of the coin miner payload used in these attacks on machines in France, Russia, Italy, Spain, Ukraine, Germany, the United Kingdom, and many other countries.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-90175\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/11\/figure1-coin-miner.png\" alt=\"\" width=\"724\" height=\"483\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/11\/figure1-coin-miner.png 724w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/11\/figure1-coin-miner-300x200.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/11\/figure1-coin-miner-293x195.png 293w\" sizes=\"(max-width: 724px) 100vw, 724px\" \/><\/p>\n<p style=\"text-align: center;\"><em>Figure 2. Geographic distribution of coin miner encounters<\/em><\/p>\n<p>\u200bThese attacks were likely initiated as port scans for machines with vulnerable internet-facing RDP services. Once attackers found such machines, they used the BlueKeep Metasploit module to run a PowerShell script that eventually downloaded and launched several other encoded PowerShell scripts.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-90176\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/11\/figure2-bluekeep-rdp-attack-chain.png\" alt=\"\" width=\"1387\" height=\"781\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/11\/figure2-bluekeep-rdp-attack-chain.png 1387w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/11\/figure2-bluekeep-rdp-attack-chain-300x169.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/11\/figure2-bluekeep-rdp-attack-chain-768x432.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/11\/figure2-bluekeep-rdp-attack-chain-1024x577.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/11\/figure2-bluekeep-rdp-attack-chain-1083x609.png 1083w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/11\/figure2-bluekeep-rdp-attack-chain-767x431.png 767w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/11\/figure2-bluekeep-rdp-attack-chain-539x303.png 539w\" sizes=\"(max-width: 1387px) 100vw, 1387px\" \/><\/p>\n<p style=\"text-align: center;\"><em>Figure 3. Techniques and components used in initial attempts to exploit BlueKeep<\/em><\/p>\n<p>We pieced together the behaviors of the PowerShell scripts using mostly memory dumps. The following script activities have also been discussed in <a href=\"https:\/\/doublepulsar.com\/bluekeep-exploitation-activity-seen-in-the-wild-bd6ee6e599a6\">external researcher blogs<\/a>:<\/p>\n<ol>\n<li>Initial script downloaded another encoded PowerShell script from an attacker-controlled remote server (5.135.199.19) hosted somewhere in France via port 443.<\/li>\n<li>The succeeding script downloaded and launched a series of three to four other encoded PowerShell scripts.<\/li>\n<li>The final script eventually downloaded the coin miner payload from another attacker-controlled server (109.176.117.11) hosted in Great Britain.<\/li>\n<li>Apart from downloading the payload, the final script also created a scheduled task to ensure the coin miner stayed persistent.\u200b<img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-90177\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/11\/figure3-memory-dump.png\" alt=\"\" width=\"705\" height=\"270\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/11\/figure3-memory-dump.png 705w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/11\/figure3-memory-dump-300x115.png 300w\" sizes=\"(max-width: 705px) 100vw, 705px\" \/><\/li>\n<\/ol>\n<p style=\"text-align: center;\"><em>Figure 4. Memory dump of a PowerShell script used in the attacks<\/em><\/p>\n<p>The final script saved the coin miner as the following file:<\/p>\n<p style=\"padding-left: 30px;\"><em>C:\\Windows\\System32\\spool\\svchost.exe<\/em><\/p>\n<p>The coin miner connected to command-and-control infrastructure at 5.100.251.106 hosted in Israel. Other coin miners deployed in earlier campaigns that did not exploit BlueKeep also connected to this same IP address.<\/p>\n<h2>Defending enterprises against BlueKeep<\/h2>\n<p>Security signals and forensic analysis show that the BlueKeep Metasploit module caused crashes in some cases, but we cannot discount enhancements that will likely result in more effective attacks. In addition, while there have been no other verified attacks involving ransomware or other types of malware as of this writing, the BlueKeep exploit will likely be used to deliver payloads more impactful and damaging than coin miners.<\/p>\n<p>The new exploit attacks show that BlueKeep will be a threat as long as systems remain unpatched, credential hygiene is not achieved, and overall security posture is not kept in check. Customers are encouraged to identify and update vulnerable systems immediately. Many of these unpatched devices could be unmonitored RDP appliances placed by suppliers and other third-parties to occasionally manage customer systems. Because BlueKeep can be exploited without leaving obvious traces, customers should also thoroughly inspect systems that might already be infected or compromised.<\/p>\n<p>To this end, Microsoft customers can use the rich capabilities in Microsoft Defender Advanced Threat Protection (<a href=\"https:\/\/www.microsoft.com\/en-us\/microsoft-365\/windows\/microsoft-defender-atp\">Microsoft Defender ATP<\/a>) to gain visibility on exploit activities and defend networks against attacks. On top of the behavior-based antivirus and endpoint detection and response (EDR) detections, we released a <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/microsoft-defender-atp\/threat-analytics\">threat analytics<\/a> report to help security operations teams to conduct investigations specific to this threat. We also wrote <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/microsoft-defender-atp\/advanced-hunting-overview\">advanced hunting<\/a> queries that customers can use to look for multiple components of the attack.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<hr \/>\n<h3>Talk to us<\/h3>\n<p>Questions, concerns, or insights on this story? Join discussions at the\u00a0<a href=\"https:\/\/techcommunity.microsoft.com\/t5\/Microsoft-Defender-ATP\/bg-p\/MicrosoftDefenderATPBlog\">Microsoft Defender ATP community<\/a>.<\/p>\n<p>Read all <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/microsoft-security-intelligence\/\">Microsoft security intelligence blog posts<\/a>.<\/p>\n<p>Follow us on Twitter <a href=\"https:\/\/twitter.com\/MsftSecIntel\" target=\"_blank\" rel=\"noopener\"><strong>@MsftSecIntel<\/strong><\/a>.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The new exploit attacks show that BlueKeep will be a threat as long as systems remain unpatched, credential hygiene is not achieved, and overall security posture is not kept in check. <\/p>\n","protected":false},"author":68,"featured_media":90179,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"_classifai_error":"","footnotes":""},"content-type":[3663],"topic":[3687],"products":[],"threat-intelligence":[3739],"tags":[],"coauthors":[1968],"class_list":["post-90173","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","content-type-research","topic-threat-intelligence","threat-intelligence-vulnerabilities-and-exploits"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Microsoft works with researchers to detect and protect against new RDP exploits | Microsoft Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/11\/07\/the-new-cve-2019-0708-rdp-exploit-attacks-explained\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Microsoft works with researchers to detect and protect against new RDP exploits | Microsoft Security Blog\" \/>\n<meta property=\"og:description\" content=\"The new exploit attacks show that BlueKeep will be a threat as long as systems remain unpatched, credential hygiene is not achieved, and overall security posture is not kept in check.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/11\/07\/the-new-cve-2019-0708-rdp-exploit-attacks-explained\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2019-11-07T21:05:30+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-05-16T06:06:21+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/11\/figure2-bluekeep-rdp-attack-chain.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1387\" \/>\n\t<meta property=\"og:image:height\" content=\"781\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Microsoft Defender Security Research Team\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/11\/figure2-bluekeep-rdp-attack-chain.png\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Microsoft Defender Security Research Team\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/11\/07\/the-new-cve-2019-0708-rdp-exploit-attacks-explained\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/11\/07\/the-new-cve-2019-0708-rdp-exploit-attacks-explained\/\"},\"author\":[{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/windows-defender-research\/\",\"@type\":\"Person\",\"@name\":\"Microsoft Defender Security Research Team\"}],\"headline\":\"Microsoft works with researchers to detect and protect against new RDP exploits\",\"datePublished\":\"2019-11-07T21:05:30+00:00\",\"dateModified\":\"2023-05-16T06:06:21+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/11\/07\/the-new-cve-2019-0708-rdp-exploit-attacks-explained\/\"},\"wordCount\":895,\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/11\/07\/the-new-cve-2019-0708-rdp-exploit-attacks-explained\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/11\/BlueKeep-blog.png\",\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/11\/07\/the-new-cve-2019-0708-rdp-exploit-attacks-explained\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/11\/07\/the-new-cve-2019-0708-rdp-exploit-attacks-explained\/\",\"name\":\"Microsoft works with researchers to detect and protect against new RDP exploits | Microsoft Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/11\/07\/the-new-cve-2019-0708-rdp-exploit-attacks-explained\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/11\/07\/the-new-cve-2019-0708-rdp-exploit-attacks-explained\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/11\/BlueKeep-blog.png\",\"datePublished\":\"2019-11-07T21:05:30+00:00\",\"dateModified\":\"2023-05-16T06:06:21+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/11\/07\/the-new-cve-2019-0708-rdp-exploit-attacks-explained\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/11\/07\/the-new-cve-2019-0708-rdp-exploit-attacks-explained\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/11\/07\/the-new-cve-2019-0708-rdp-exploit-attacks-explained\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/11\/BlueKeep-blog.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/11\/BlueKeep-blog.png\",\"width\":440,\"height\":268},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/11\/07\/the-new-cve-2019-0708-rdp-exploit-attacks-explained\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Microsoft works with researchers to detect and protect against new RDP exploits\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"name\":\"Microsoft Security Blog\",\"description\":\"Expert coverage of cybersecurity topics\",\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\",\"name\":\"Microsoft Security Blog\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Security Blog\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Microsoft works with researchers to detect and protect against new RDP exploits | Microsoft Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/11\/07\/the-new-cve-2019-0708-rdp-exploit-attacks-explained\/","og_locale":"en_US","og_type":"article","og_title":"Microsoft works with researchers to detect and protect against new RDP exploits | Microsoft Security Blog","og_description":"The new exploit attacks show that BlueKeep will be a threat as long as systems remain unpatched, credential hygiene is not achieved, and overall security posture is not kept in check.","og_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/11\/07\/the-new-cve-2019-0708-rdp-exploit-attacks-explained\/","og_site_name":"Microsoft Security Blog","article_published_time":"2019-11-07T21:05:30+00:00","article_modified_time":"2023-05-16T06:06:21+00:00","og_image":[{"width":1387,"height":781,"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/11\/figure2-bluekeep-rdp-attack-chain.png","type":"image\/png"}],"author":"Microsoft Defender Security Research Team","twitter_card":"summary_large_image","twitter_image":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/11\/figure2-bluekeep-rdp-attack-chain.png","twitter_misc":{"Written by":"Microsoft Defender Security Research Team","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/11\/07\/the-new-cve-2019-0708-rdp-exploit-attacks-explained\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/11\/07\/the-new-cve-2019-0708-rdp-exploit-attacks-explained\/"},"author":[{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/windows-defender-research\/","@type":"Person","@name":"Microsoft Defender Security Research Team"}],"headline":"Microsoft works with researchers to detect and protect against new RDP exploits","datePublished":"2019-11-07T21:05:30+00:00","dateModified":"2023-05-16T06:06:21+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/11\/07\/the-new-cve-2019-0708-rdp-exploit-attacks-explained\/"},"wordCount":895,"publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/11\/07\/the-new-cve-2019-0708-rdp-exploit-attacks-explained\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/11\/BlueKeep-blog.png","inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/11\/07\/the-new-cve-2019-0708-rdp-exploit-attacks-explained\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/11\/07\/the-new-cve-2019-0708-rdp-exploit-attacks-explained\/","name":"Microsoft works with researchers to detect and protect against new RDP exploits | Microsoft Security Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/11\/07\/the-new-cve-2019-0708-rdp-exploit-attacks-explained\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/11\/07\/the-new-cve-2019-0708-rdp-exploit-attacks-explained\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/11\/BlueKeep-blog.png","datePublished":"2019-11-07T21:05:30+00:00","dateModified":"2023-05-16T06:06:21+00:00","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/11\/07\/the-new-cve-2019-0708-rdp-exploit-attacks-explained\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/11\/07\/the-new-cve-2019-0708-rdp-exploit-attacks-explained\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/11\/07\/the-new-cve-2019-0708-rdp-exploit-attacks-explained\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/11\/BlueKeep-blog.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/11\/BlueKeep-blog.png","width":440,"height":268},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/11\/07\/the-new-cve-2019-0708-rdp-exploit-attacks-explained\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/"},{"@type":"ListItem","position":2,"name":"Microsoft works with researchers to detect and protect against new RDP exploits"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","name":"Microsoft Security Blog","description":"Expert coverage of cybersecurity topics","publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization","name":"Microsoft Security Blog","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","width":512,"height":512,"caption":"Microsoft Security Blog"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/"}}]}},"msxcm_display_generated_audio":false,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Security Blog","distributor_original_site_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/90173"}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/comments?post=90173"}],"version-history":[{"count":0,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/90173\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media\/90179"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media?parent=90173"}],"wp:term":[{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/content-type?post=90173"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/topic?post=90173"},{"taxonomy":"products","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/products?post=90173"},{"taxonomy":"threat-intelligence","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/threat-intelligence?post=90173"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/tags?post=90173"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/coauthors?post=90173"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}