Network-Level Authentication (NLA) Disabled
Identifies the attempt to disable Network-Level Authentication (NLA) via registry modification. Network Level Authentication (NLA) is a feature on Windows that provides an extra layer of security for Remote Desktop (RDP) connections, as it requires users to authenticate before allowing a full RDP session. Attackers can disable NLA to enable persistence methods that require access to the Windows sign-in screen without authenticating, such as Accessibility Features persistence methods, like Sticky Keys.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/08/25"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies the attempt to disable Network-Level Authentication (NLA) via registry modification. Network Level
11Authentication (NLA) is a feature on Windows that provides an extra layer of security for Remote Desktop (RDP)
12connections, as it requires users to authenticate before allowing a full RDP session. Attackers can disable NLA to
13enable persistence methods that require access to the Windows sign-in screen without authenticating, such as
14Accessibility Features persistence methods, like Sticky Keys.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.registry-*", "endgame-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Network-Level Authentication (NLA) Disabled"
21references = [
22 "https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/",
23]
24risk_score = 21
25rule_id = "db65f5ba-d1ef-4944-b9e8-7e51060c2b42"
26severity = "low"
27tags = [
28 "Domain: Endpoint",
29 "OS: Windows",
30 "Use Case: Threat Detection",
31 "Tactic: Defense Evasion",
32 "Data Source: Elastic Defend",
33 "Data Source: Elastic Endgame",
34]
35timestamp_override = "event.ingested"
36type = "eql"
37
38query = '''
39registry where host.os.type == "windows" and event.action != "deletion" and
40 registry.path :
41 ("HKLM\\SYSTEM\\ControlSet*\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication",
42 "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication" ) and
43 registry.data.strings : "0"
44'''
45
46
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49[[rule.threat.technique]]
50id = "T1112"
51name = "Modify Registry"
52reference = "https://attack.mitre.org/techniques/T1112/"
53
54[[rule.threat.technique]]
55id = "T1562"
56name = "Impair Defenses"
57reference = "https://attack.mitre.org/techniques/T1562/"
58
59
60[rule.threat.tactic]
61id = "TA0005"
62name = "Defense Evasion"
63reference = "https://attack.mitre.org/tactics/TA0005/"
References
Related rules
- Adding Hidden File Attribute via Attrib
- Attempt to Install Kali Linux via WSL
- Clearing Windows Console History
- Clearing Windows Event Logs
- Code Signing Policy Modification Through Built-in tools