Attack ID - CVE-2022-26809
CVE-2022-26809 is a critical Remote Code Execution (RCE) vulnerability in Microsoft Windows RPC.
An attacker can send specially crafted RPC packets to a Windows machine.
If the target is unpatched, the attacker may be able to:
- Execute arbitrary code remotely
- Gain SYSTEM privileges
- Install malware
- Deploy ransomware
- Move laterally across the network
Microsoft released a security patch in April 2022
Action-
- Identify Source and Destination-PC
- Check Windows Patch
- Check Event Logs
- Scan the Machine with Install Endpoint Protection
- Check Firewall Action should be blocked if available.
- Confirm ports 135/139/445/593 are not exposed to the Internet.
Check if Attack is Repeated perform below action immidiatly
- Disconnect that PC from the network.
- Run a full antivirus scan.
- Check running processes.
- Review recent software installations.
- Verify no unauthorized remote administration tools are installed.
- If the Source IP is Public