Network-Level Authentication (NLA) Disabled
Identifies the attempt to disable Network-Level Authentication (NLA) via registry modification. Network Level Authentication (NLA) is a feature on Windows that provides an extra layer of security for Remote Desktop (RDP) connections, as it requires users to authenticate before allowing a full RDP session. Attackers can disable NLA to enable persistence methods that require access to the Windows sign-in screen without authenticating, such as Accessibility Features persistence methods, like Sticky Keys.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/08/25"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/04/05"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the attempt to disable Network-Level Authentication (NLA) via registry modification. Network Level Authentication (NLA) is a feature on Windows
13that provides an extra layer of security for Remote Desktop (RDP) connections, as it requires users to authenticate
14before allowing a full RDP session. Attackers can disable NLA to enable persistence methods that require access to the
15Windows sign-in screen without authenticating, such as Accessibility Features persistence methods, like Sticky Keys.
16"""
17from = "now-9m"
18index = ["logs-endpoint.events.registry-*", "endgame-*"]
19language = "eql"
20license = "Elastic License v2"
21name = "Network-Level Authentication (NLA) Disabled"
22references = [
23 "https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/",
24]
25risk_score = 21
26rule_id = "db65f5ba-d1ef-4944-b9e8-7e51060c2b42"
27severity = "low"
28tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"]
29timestamp_override = "event.ingested"
30type = "eql"
31
32query = '''
33registry where host.os.type == "windows" and event.action != "deletion" and
34 registry.path :
35 ("HKLM\\SYSTEM\\ControlSet*\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication",
36 "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication" ) and
37 registry.data.strings : "0"
38'''
39
40
41[[rule.threat]]
42framework = "MITRE ATT&CK"
43[[rule.threat.technique]]
44id = "T1112"
45name = "Modify Registry"
46reference = "https://attack.mitre.org/techniques/T1112/"
47
48[[rule.threat.technique]]
49id = "T1562"
50name = "Impair Defenses"
51reference = "https://attack.mitre.org/techniques/T1562/"
52
53
54[rule.threat.tactic]
55id = "TA0005"
56name = "Defense Evasion"
57reference = "https://attack.mitre.org/tactics/TA0005/"
References
Related rules
- Adding Hidden File Attribute via Attrib
- Attempt to Install Kali Linux via WSL
- Bypass UAC via Event Viewer
- Clearing Windows Console History
- Clearing Windows Event Logs