Network-Level Authentication (NLA) Disabled
Identifies the attempt to disable Network-Level Authentication (NLA) via registry modification. Network Level Authentication (NLA) is a feature on Windows that provides an extra layer of security for Remote Desktop (RDP) connections, as it requires users to authenticate before allowing a full RDP session. Attackers can disable NLA to enable persistence methods that require access to the Windows sign-in screen without authenticating, such as Accessibility Features persistence methods, like Sticky Keys.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/08/25"
3integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"]
4maturity = "production"
5updated_date = "2024/10/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the attempt to disable Network-Level Authentication (NLA) via registry modification. Network Level
13Authentication (NLA) is a feature on Windows that provides an extra layer of security for Remote Desktop (RDP)
14connections, as it requires users to authenticate before allowing a full RDP session. Attackers can disable NLA to
15enable persistence methods that require access to the Windows sign-in screen without authenticating, such as
16Accessibility Features persistence methods, like Sticky Keys.
17"""
18from = "now-9m"
19index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "logs-windows.sysmon_operational-*"]
20language = "eql"
21license = "Elastic License v2"
22name = "Network-Level Authentication (NLA) Disabled"
23references = [
24 "https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/",
25]
26risk_score = 21
27rule_id = "db65f5ba-d1ef-4944-b9e8-7e51060c2b42"
28severity = "low"
29tags = [
30 "Domain: Endpoint",
31 "OS: Windows",
32 "Use Case: Threat Detection",
33 "Tactic: Defense Evasion",
34 "Data Source: Elastic Defend",
35 "Data Source: Elastic Endgame",
36 "Data Source: Microsoft Defender for Endpoint",
37 "Data Source: SentinelOne",
38 "Data Source: Sysmon",
39]
40timestamp_override = "event.ingested"
41type = "eql"
42
43query = '''
44registry where host.os.type == "windows" and event.action != "deletion" and registry.value : "UserAuthentication" and
45 registry.path : (
46 "HKLM\\SYSTEM\\ControlSet*\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication",
47 "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication",
48 "MACHINE\\SYSTEM\\*ControlSet*\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication"
49 ) and registry.data.strings : ("0", "0x00000000")
50'''
51
52
53[[rule.threat]]
54framework = "MITRE ATT&CK"
55[[rule.threat.technique]]
56id = "T1112"
57name = "Modify Registry"
58reference = "https://attack.mitre.org/techniques/T1112/"
59
60[[rule.threat.technique]]
61id = "T1562"
62name = "Impair Defenses"
63reference = "https://attack.mitre.org/techniques/T1562/"
64
65
66[rule.threat.tactic]
67id = "TA0005"
68name = "Defense Evasion"
69reference = "https://attack.mitre.org/tactics/TA0005/"
References
-
Microsoft has identified the nation-state activity group Flax Typhoon is targeting organizations in Taiwan, likely to perform espionage.
Read More
Related rules
- Alternate Data Stream Creation/Execution at Volume Root Directory
- Code Signing Policy Modification Through Registry
- Command Shell Activity Started via RunDLL32
- Conhost Spawned By Suspicious Parent Process
- Creation or Modification of Root Certificate