BlueKeep and SentinelOne

Updated: Mar 11, 2020

The Goal

When I set out to write this blog, the aim was to make use of a publicly available exploit in order to benchmark how well SentinelOne would perform when running on a vulnerable system. The goal was twofold, first to ensure that the SentinelOne agent could detect the exploit and second - if successfully detected – to look at how the exploit attempt was presented by the SentinelOne Deep Visibility module to SentinelOne Management console.

Why BlueKeep

I picked BlueKeep as my vulnerability of choice as it was disclosed recently (2019) and perhaps more importantly because it is a Remote Desktop Protocol (RDP) vulnerability.

With RDP being the most common threat vector for ransomware in the first quarter of 2019, protection against vulnerabilities such as BlueKeep is incredibly important.


The BlueKeep vulnerability is particularly dangerous because it is wormable. This means that a malicious actor could write a piece of malware that could self-propagate (no user interaction) through thousands of vulnerable systems in a very similar manner to WannaCry (which targeted the EternalBlue vulnerability).

To find out more about the vulnerability and its severity visit it National Vulnerability database entry here.

What is BlueKeep

The Bluekeep vulnerability allows for pre-authentication remote code execution in Microsoft Windows RDP enabled systems. This means a carefully crafted exploit could allow execution of code on a device without the need for any interaction from the user. Malware targeting this vulnerability is likely to hit organisations more than home users as RDP is usually only available in professional editions of Windows – most home users will likely use home editions of Windows.