Detectionmediumtest

RDP Sensitive Settings Changed to Zero

Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Samir Bousseaden, David ANDRE, Roberto Rodriguez (Cyb3rWard0g), Nasreddine Bencherchali (Nextron Systems)Created Thu Sep 29Updated Sat Nov 26a2863fbc-d5cb-48d5-83fb-d976d4b1743bwindows

Log Source

WindowsRegistry Set

ProductWindows← raw: windows

CategoryRegistry Set← raw: registry_set

Detection Logic

detection:
    selection:
        TargetObject|endswith:
            - '\fDenyTSConnections' # Specifies whether Remote Desktop connections are enabled - When set to zero RDP is enabled
            - '\fSingleSessionPerUser' # When changed to 0 it allows multiple RDP sessions
            - '\UserAuthentication' # Specifies that Network-Level user authentication is not required before the remote desktop connection is established
        Details: 'DWORD (0x00000000)'
    condition: selection

False Positives

Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)

References

threathunterplaybook.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion TA0003 · Persistence

Techniques

T1112 · Modify Registry

Related Rules

SimilarDetectionhigh

RDP Sensitive Settings Changed

Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc. Below is a list of registry keys/values that are monitored by this rule: - Shadow: Used to enable Remote Desktop shadowing, which allows an administrator to view or control a user's session. - DisableRemoteDesktopAntiAlias: Disables anti-aliasing for remote desktop sessions. - DisableSecuritySettings: Disables certain security settings for Remote Desktop connections. - fAllowUnsolicited: Allows unsolicited remote assistance offers. - fAllowUnsolicitedFullControl: Allows unsolicited remote assistance offers with full control. - InitialProgram: Specifies a program to run automatically when a user logs on to a remote computer. - ServiceDll: Used in RDP hijacking techniques to specify a custom DLL to be loaded by the Terminal Services service. - SecurityLayer: Specifies the security layer used for RDP connections.

Detects similar activity. Both rules may fire on overlapping events.

SimilarDetectionmedium

RDP Enable or Disable via Win32_TerminalServiceSetting WMI Class

Detects enabling or disabling of Remote Desktop Protocol (RDP) using alternate methods such as WMIC or PowerShell. In PowerShell one-liner commands, the "SetAllowTSConnections" method of the "Win32_TerminalServiceSetting" class may be used to enable or disable RDP. In WMIC, the "rdtoggle" alias or "Win32_TerminalServiceSetting" class may be used for the same purpose.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

a2863fbc-d5cb-48d5-83fb-d976d4b1743b

Status

test

Level

medium

Type

Detection

Created

Thu Sep 29

Modified

Sat Nov 26

Author

Samir Bousseaden, David ANDRE, Roberto Rodriguez (Cyb3rWard0g), Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml

Raw Tags

attack.defense-evasionattack.persistenceattack.t1112

View on GitHub