Detectionhightest

Potential Tampering With RDP Related Registry Keys Via Reg.EXE

Detects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Martin Mueller, TheDFIRReportCreated Sat Feb 12Updated Sat Nov 220d5675be-bc88-4172-86d3-1e96a4476536windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_main_img:
        - Image|endswith: '\reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_main_cli:
        CommandLine|contains|all:
            - ' add '
            - '\CurrentControlSet\Control\Terminal Server'
            - 'REG_DWORD'
            - ' /f'
    selection_values_1:
        CommandLine|contains|all:
            - 'Licensing Core'
            - 'EnableConcurrentSessions'
    selection_values_2:
        CommandLine|contains:
            - 'AllowTSConnections'
            - 'fDenyTSConnections'
            - 'fEnableWinStation'
            - 'fSingleSessionPerUser'
            - 'IdleWinStationPoolCount'
            - 'MaxInstanceCount'
            - 'SecurityLayer'
            - 'TSAdvertise'
            - 'TSAppCompat'
            - 'TSEnabled'
            - 'TSUserEnabled'
            - 'WinStations\RDP-Tcp'
    filter_main_values_tls:
        CommandLine|contains|all:
            - 'SecurityLayer'
            - '02'  # TLS Enabled
    condition: all of selection_main_* and 1 of selection_values_* and not 1 of filter_main_*