Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Company
Platform
Modern NDR
Resources
Company
DETECTION OVERVIEW
Risk Factors
BlueKeep is a Remote Desktop vulnerability that is well known and has been implemented in a number of exploits. An attacker can grant themselves administrator access to a network-accessible Windows system without user credentials. This process can also be automated through malware or a self-replicating worm. Remote Desktop is commonly enabled on devices, which increases the likelihood of this threat to significantly affect or even halt business services.
Category
Remote Desktop is a built-in tool in Microsoft Windows that enables an authorized remote user to access a Windows system over a network as if they are at the local desktop. Leveraging the BlueKeep vulnerability, an attacker can gain full control over a Windows workstation or server, without needing a user account or privileged access. First, the attacker establishes a Remote Desktop session that includes the internal virtual channel, MS_T120. Virtual channels are extensions that add functionality to Remote Desktop. However, MS_T120 is rarely associated with a typical RDP session. After establishing a session, the attacker is then able to run arbitrary code that crashes or could fully compromise the device. Ultimately, the attacker can create administrator accounts; read, modify, or delete local data; run arbitrary commands and code; and launch additional attacks on the network from behind firewalls and other defensive measures. This vulnerability can also be leveraged by malware and be spread automatically as a worm.
Install relevant patches for affected Windows versions. Due to the severity of this vulnerability, Microsoft has extended patches to products that are otherwise out of support.
Disable Remote Desktop Services unless required
Implement Network Level Authentication (NLA) on systems running supported versions of Windows 7, Windows Server 2008, and Windows Server 2008 R2
Configure firewalls to block traffic on TCP port 3389
Network analysis and visibility solutions remain underrepresented in enterprises. Find out why in this preview of a new Wave report.
ExtraHop® Named a Leader in First-Ever Gartner® Magic Quadrant™ for Network Detection and Response
Visit this resource for more information.
This analysis exposes the critical link between an organization's lack of internal visibility and the escalating cost of compromise, demanding an urgent re-evaluation of how core business assets are protected.
Learn why you need to be wary of the claims certain network detection and response providers make about their coverage against the MITRE ATT&CK framework.
Learn how NDR from RevealX helps security teams detect and investigate more adversary TTPs in the MITRE ATT&CK framework than rule-based tools.
