Think you have a false positive on this rule?

Sid 1-51741

Message

INDICATOR-COMPROMISE Microsoft Windows Remote Desktop client heap spray attempt

Summary

This event is generated when an attacker attempts to exploit a remote code execution vulnerability in the Remote Desktop client.

Impact

Attempted User Privilege Gain

Detailed information

This rule checks for heap spray attempts against Microsoft Windows Remote Desktop clients.

Affected systems

Ease of attack

False positives

Not known

False negatives

Not known

Corrective action

Contributors

  • Cisco Talos Intelligence Group

Additional References

  • CVE-2019-1333
  • portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1333