Rule Category

FILE-OTHER -- Snort detected traffic targeting vulnerabilities in a file type that does not require enough rule coverage to have its own category.

Alert Message

FILE-OTHER Microsoft Windows Remote Assistance external entity remote file download attempt

Rule Explanation

This event is generated when an attacker attempts to exploit an information disclosure vulnerability present in Microsoft Windows Remote Assistance. Impact: Attempted Information Leak Details: Rule looks for attempts to exploit an information disclosure vulnerability present in Microsoft Windows Remote Assistance. Ease of Attack:

What To Look For

Known Usage

No public information

False Positives

No known false positives

Contributors

Cisco Talos Intelligence Group

MITRE ATT&CK Framework

Tactic:

Technique:

For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org

CVE

Additional Links

Rule Vulnerability

CVE Additional Information

CVE-2018-0878
Windows Remote Assistance in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and 1709, Windows Server 2016 and Windows Server, version 1709 allows an information disclosure vulnerability due to how XML External Entities (XXE) are processed, aka "Windows Remote Assistance Information Disclosure Vulnerability".
Details
Severity Base Score
Impact Score Exploit Score
Confidentiality Impact Integrity Impact
Availability Impact Access Vector
Authentication Ease of Access