<div dir="ltr"><div>Hi all, I'm looking into a few detection ideas around the Remote Desktop Gateway RCE vulns</div><div><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0609" target="_blank">CVE-2020-0609</a> and <a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0610" target="_blank">CVE-2020-0610 </a>(AKA Bluegate). These vulns are exposed on UDP Port 3391 (DTLS), which is essentially a speedup of RDP. Given it's DTLS, zeek logs all connections happily into ssl.log, including JA3. </div><div>YMMV but one detection method is to look for (JA3=2e29256489ce9efe000820389e24b2fd OR JA3=698698ef3647fddcc035694ba0878bf2) AND UDP 3391. These are the JA3 of the tools noted below.</div><div>Another method is to baseline a known list of JA3. You could do this methodically, or take the pragmatic approach and just list what JA3 connected to your server on DTLS/3391 server prior to the CVE and then look for anything JA3 that is nett new. </div><div>There are other ways to detect this as well, and I'm interested if anyone is looking into these bugs, and particularly if you are running RDG legit - could you contact me to chat about the sort of legit traffic you see (pcap snippets would be great but a chat is good too)</div><div><p dir="auto">Attack/scanning toolsets currently publicly available (list not exhaustive):</p>
<ol dir="auto">
<li>
<a href="https://github.com/ollypwn/BlueGate" rel="nofollow noreferrer noopener" target="_blank">https://github.com/ollypwn/BlueGate</a> operates in "checking mode" and "DOS" mode.</li>
<li>
<a href="https://twitter.com/layle_ctf/status/1221514332049113095" rel="nofollow noreferrer noopener" target="_blank">https://twitter.com/layle_ctf/status/1221514332049113095</a> an RCE demo has been published but tool not publically available yet.</li>
<li>
<a href="https://github.com/ioncodes/BlueGate" rel="nofollow noreferrer noopener" target="_blank">https://github.com/ioncodes/BlueGate</a>. Check and DOS mode </li>
<li>
<a href="https://github.com/MalwareTech/RDGScanner" rel="nofollow noreferrer noopener" target="_blank">https://github.com/MalwareTech/RDGScanner</a>. Check mode only</li></ol><div>Thanks</div></div><div>Ben Reardon</div><div><br></div></div>