defensivedepth · May 21, 2019 06:04
diff --git a/Internet-Exposed-RDP.sql b/Internet-Exposed-RDP.sql
 -- CVE-2019-0708 - Queries for 2008 R2 / Win7 & below systems that have RDP exposed publicly (remote_address is not internal IP)
 -- Modified From: @gepeto42 - https://twitter.com/gepeto42/status/1128383095428743172
 -- If you use 172.16/22 internally, you will need to tweak this

 SELECT process_open_sockets.remote_address, os_version.name 
 FROM process_open_sockets CROSS JOIN os_version
 WHERE process_open_sockets.local_port=3389
 AND process_open_sockets.remote_address NOT LIKE '10.%'
 AND process_open_sockets.remote_address NOT LIKE '172.16%'
 AND process_open_sockets.remote_address NOT LIKE '192.168%'
 AND process_open_sockets.remote_address NOT LIKE '0.0.0.0'
 AND process_open_sockets.remote_address NOT LIKE '::'
 AND process_open_sockets.remote_address NOT LIKE '0'
 AND os_version.major < 7
 AND os_version.minor < 2;
	-- CVE-2019-0708 - Queries for 2008 R2 / Win7 & below systems that have RDP exposed publicly (remote_address is not internal IP)
	-- Modified From: @gepeto42 - https://twitter.com/gepeto42/status/1128383095428743172
	-- If you use 172.16/22 internally, you will need to tweak this

	SELECT process_open_sockets.remote_address, os_version.name
	FROM process_open_sockets CROSS JOIN os_version
	WHERE process_open_sockets.local_port=3389
	AND process_open_sockets.remote_address NOT LIKE '10.%'
	AND process_open_sockets.remote_address NOT LIKE '172.16%'
	AND process_open_sockets.remote_address NOT LIKE '192.168%'
	AND process_open_sockets.remote_address NOT LIKE '0.0.0.0'
	AND process_open_sockets.remote_address NOT LIKE '::'
	AND process_open_sockets.remote_address NOT LIKE '0'
	AND os_version.major < 7
	AND os_version.minor < 2;