Phoenix
Sigma IntelligenceBeta
Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse RulesExplore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

17

Live from sigconverter.io

CLI Versions

10

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

RDP Sensitive Settings Changed to Zero

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

RDP Sensitive Settings Changed to Zero

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2
title: RDP Sensitive Settings Changed to Zero
id: a2863fbc-d5cb-48d5-83fb-d976d4b1743b
related:
    - id: 3f6b7b62-61aa-45db-96bd-9c31b36b653c
      type: similar
    - id: 4b8f6d3a-9c5e-4f2a-a7d8-6b9c3e5f2a8d
      type: similar
status: test
description: |
    Detects tampering of RDP Terminal Service/Server sensitive settings.
    Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.
references:
    - https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html # Related to RDP hijacking via the "ServiceDll" key
    - http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/ # Related to the Shadow RPD technique
    - https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03 # Related to the Shadow RPD technique
    - https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html
    - https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/
    - http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ # Contain description for most of the keys mentioned here (check it out if you want more information
    - https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services # Contain description for most of the keys mentioned here (check it out if you want more information)
author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali
date: 2022-09-29
modified: 2022-11-26
tags:
    - attack.defense-evasion
    - attack.persistence
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith:
            - '\fDenyTSConnections' # Specifies whether Remote Desktop connections are enabled - When set to zero RDP is enabled
            - '\fSingleSessionPerUser' # When changed to 0 it allows multiple RDP sessions
            - '\UserAuthentication' # Specifies that Network-Level user authentication is not required before the remote desktop connection is established
        Details: 'DWORD (0x00000000)'
    condition: selection
falsepositives:
    - Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)
level: medium

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml