Potential RemoteMonologue Attack

  1[metadata]
  2creation_date = "2025/04/14"
  3integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"]
  4maturity = "production"
  5updated_date = "2026/05/04"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies attempt to perform session hijack via COM object registry modification by setting the RunAs value to
 11Interactive User.
 12"""
 13from = "now-9m"
 14index = [
 15    "logs-endpoint.events.registry-*",
 16    "endgame-*",
 17    "logs-m365_defender.event-*",
 18    "logs-sentinel_one_cloud_funnel.*",
 19    "logs-windows.sysmon_operational-*",
 20]
 21language = "eql"
 22license = "Elastic License v2"
 23name = "Potential RemoteMonologue Attack"
 24note = """## Triage and analysis
 25
 26### Investigating Potential RemoteMonologue Attack
 27
 28
 29### Possible investigation steps
 30
 31- Review the registry event logs to confirm the modification of the RunAs value in the specified registry paths, ensuring the change was not part of a legitimate administrative action.
 32- Identify the user account and process responsible for the registry modification by examining the event logs for associated user and process information.
 33- Check for any recent remote authentication attempts or sessions on the affected host to determine if this activity is associated with lateral movement or not.
 34- Investigate the timeline of the registry change to correlate with any other suspicious activities or alerts on the host, such as the execution of unusual processes or network connections.
 35
 36### False positive analysis
 37
 38- Software updates or installations that modify COM settings.
 39- Automated scripts or management tools that adjust COM configurations.
 40
 41### Response and remediation
 42
 43- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.
 44- Modify the registry value back to its secure state, ensuring that "RunAs" value is not set to "Interactive User".
 45- Conduct a thorough review of recent user activity and system logs to identify any unauthorized access or changes made during the period NLA was disabled.
 46- Reset passwords for all accounts that have accessed the affected system to mitigate potential credential compromise.
 47- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
 48- Implement enhanced monitoring on the affected system and similar endpoints to detect any further attempts to disable NLA or other suspicious activities.
 49"""
 50
 51setup = """## Setup
 52
 53This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
 54
 55Setup instructions: https://ela.st/install-elastic-defend
 56
 57### Additional data sources
 58
 59This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
 60
 61- [Microsoft Defender XDR](https://ela.st/m365-defender)
 62- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
 63- [Sysmon Registry Events](https://ela.st/sysmon-event-reg-setup)
 64"""
 65
 66references = [
 67    "https://www.ibm.com/think/x-force/remotemonologue-weaponizing-dcom-ntlm-authentication-coercions#1",
 68    "https://github.com/xforcered/RemoteMonologue",
 69]
 70risk_score = 47
 71rule_id = "c18975f5-676c-4091-b626-81e8938aa2ee"
 72severity = "medium"
 73tags = [
 74    "Domain: Endpoint",
 75    "OS: Windows",
 76    "Use Case: Threat Detection",
 77    "Tactic: Defense Evasion",
 78    "Data Source: Elastic Defend",
 79    "Data Source: Elastic Endgame",
 80    "Data Source: Microsoft Defender XDR",
 81    "Data Source: SentinelOne",
 82    "Data Source: Sysmon",
 83    "Resources: Investigation Guide",
 84]
 85timestamp_override = "event.ingested"
 86type = "eql"
 87
 88query = '''
 89registry where host.os.type == "windows" and event.action != "deletion" and
 90  registry.value == "RunAs" and registry.data.strings : "Interactive User" and
 91
 92  not 
 93  (
 94    (
 95      process.executable : (
 96        "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.*\\MsMpEng.exe",
 97        "C:\\Program Files\\Windows Defender\\MsMpEng.exe"
 98      ) and
 99      registry.path : "*\\SOFTWARE\\Classes\\AppID\\{1111A26D-EF95-4A45-9F55-21E52ADF9887}\\RunAs"
100    ) or
101    (
102      process.executable : (
103        "C:\\Program Files\\TeamViewer\\TeamViewer.exe",
104        "C:\\Program Files (x86)\\TeamViewer\\TeamViewer.exe"
105      ) and
106      registry.path : "*\\SOFTWARE\\Classes\\AppID\\{850A928D-5456-4865-BBE5-42635F1EBCA1}\\RunAs"
107    ) or
108    (
109      process.executable : "C:\\Windows\\System32\\svchost.exe" and
110      registry.path : "*\\S-1-*Classes\\AppID\\{D3E34B21-9D75-101A-8C3D-00AA001A1652}\\RunAs"
111    ) or
112    (
113      process.executable : "C:\\Windows\\System32\\SecurityHealthService.exe" and
114      registry.path : (
115        "*\\SOFTWARE\\Classes\\AppID\\{1D278EEF-5C38-4F2A-8C7D-D5C13B662567}\\RunAs",
116        "*\\SOFTWARE\\Classes\\AppID\\{7E55A26D-EF95-4A45-9F55-21E52ADF9878}\\RunAs"
117      )
118    ) or
119    (
120      process.executable : "C:\\Windows\\System32\\SecurityHealthService.exe" and
121      registry.path : (
122        "*\\SOFTWARE\\Classes\\AppID\\{1D278EEF-5C38-4F2A-8C7D-D5C13B662567}\\RunAs",
123        "*\\SOFTWARE\\Classes\\AppID\\{7E55A26D-EF95-4A45-9F55-21E52ADF9878}\\RunAs"
124      )
125    ) or
126    registry.path : (
127      "HKLM\\SOFTWARE\\Microsoft\\Office\\ClickToRun\\VREGISTRY_*",
128      "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Office\\ClickToRun\\VREGISTRY_*"
129    ) or
130    (process.executable : "C:\\windows\\System32\\msiexec.exe" and ?user.id : "S-1-5-18")
131  )
132'''
133
134
135[[rule.threat]]
136framework = "MITRE ATT&CK"
137
138[[rule.threat.technique]]
139id = "T1112"
140name = "Modify Registry"
141reference = "https://attack.mitre.org/techniques/T1112/"
142
143[[rule.threat.technique]]
144id = "T1562"
145name = "Impair Defenses"
146reference = "https://attack.mitre.org/techniques/T1562/"
147
148[rule.threat.tactic]
149id = "TA0005"
150name = "Defense Evasion"
151reference = "https://attack.mitre.org/tactics/TA0005/"
152
153[[rule.threat]]
154framework = "MITRE ATT&CK"
155
156[[rule.threat.technique]]
157id = "T1546"
158name = "Event Triggered Execution"
159reference = "https://attack.mitre.org/techniques/T1546/"
160
161[[rule.threat.technique.subtechnique]]
162id = "T1546.015"
163name = "Component Object Model Hijacking"
164reference = "https://attack.mitre.org/techniques/T1546/015/"
165
166[rule.threat.tactic]
167id = "TA0003"
168name = "Persistence"
169reference = "https://attack.mitre.org/tactics/TA0003/"