Detectionhightest
Terminal Server Client Connection History Cleared - Registry
Detects the deletion of registry keys containing the MSTSC connection history
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Christian Burkard (Nextron Systems)Created Tue Oct 19Updated Wed Feb 0807bdd2f5-9c58-4f38-aec8-e101bb79ef8dwindows
Log Source
WindowsRegistry Delete
ProductWindows← raw: windows
CategoryRegistry Delete← raw: registry_delete
Detection Logic
Detection Logic2 selectors
detection:
selection1:
EventType: DeleteValue
TargetObject|contains: '\Microsoft\Terminal Server Client\Default\MRU'
selection2:
EventType: DeleteKey
TargetObject|contains: '\Microsoft\Terminal Server Client\Servers\'
condition: 1 of selection*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Rule Metadata
Rule ID
07bdd2f5-9c58-4f38-aec8-e101bb79ef8d
Status
test
Level
high
Type
Detection
Created
Tue Oct 19
Modified
Wed Feb 08
Path
rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml
Raw Tags
attack.persistenceattack.defense-evasionattack.t1070attack.t1112