Potential Remote Desktop Shadowing Activity
Identifies the modification of the Remote Desktop Protocol (RDP) Shadow registry or the execution of processes indicative of an active RDP shadowing session. An adversary may abuse the RDP Shadowing feature to spy on or control other users active RDP sessions.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/04/12"
3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
4maturity = "production"
5updated_date = "2024/10/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the modification of the Remote Desktop Protocol (RDP) Shadow registry or the execution of processes
13indicative of an active RDP shadowing session. An adversary may abuse the RDP Shadowing feature to spy on or control
14other users active RDP sessions.
15"""
16from = "now-9m"
17index = [
18 "logs-endpoint.events.process-*",
19 "logs-endpoint.events.registry-*",
20 "winlogbeat-*",
21 "logs-windows.sysmon_operational-*",
22 "endgame-*",
23 "logs-m365_defender.event-*",
24 "logs-sentinel_one_cloud_funnel.*",
25]
26language = "eql"
27license = "Elastic License v2"
28name = "Potential Remote Desktop Shadowing Activity"
29references = [
30 "https://bitsadm.in/blog/spying-on-users-using-rdp-shadowing",
31 "https://swarm.ptsecurity.com/remote-desktop-services-shadowing/",
32]
33risk_score = 73
34rule_id = "c57f8579-e2a5-4804-847f-f2732edc5156"
35severity = "high"
36tags = [
37 "Domain: Endpoint",
38 "OS: Windows",
39 "Use Case: Threat Detection",
40 "Tactic: Lateral Movement",
41 "Data Source: Elastic Endgame",
42 "Data Source: Elastic Defend",
43 "Data Source: Sysmon",
44 "Data Source: Microsoft Defender for Endpoint",
45 "Data Source: SentinelOne",
46]
47timestamp_override = "event.ingested"
48type = "eql"
49
50query = '''
51/* Identifies the modification of RDP Shadow registry or
52 the execution of processes indicative of active shadow RDP session */
53
54any where host.os.type == "windows" and
55(
56 (event.category == "registry" and
57 registry.path : (
58 "HKLM\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services\\Shadow",
59 "\\REGISTRY\\MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services\\Shadow",
60 "MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services\\Shadow"
61 )
62 ) or
63 (event.category == "process" and event.type == "start" and
64 (process.name : ("RdpSaUacHelper.exe", "RdpSaProxy.exe") and process.parent.name : "svchost.exe") or
65 (?process.pe.original_file_name : "mstsc.exe" and process.args : "/shadow:*")
66 )
67)
68'''
69
70
71[[rule.threat]]
72framework = "MITRE ATT&CK"
73[[rule.threat.technique]]
74id = "T1021"
75name = "Remote Services"
76reference = "https://attack.mitre.org/techniques/T1021/"
77[[rule.threat.technique.subtechnique]]
78id = "T1021.001"
79name = "Remote Desktop Protocol"
80reference = "https://attack.mitre.org/techniques/T1021/001/"
81
82
83
84[rule.threat.tactic]
85id = "TA0008"
86name = "Lateral Movement"
87reference = "https://attack.mitre.org/tactics/TA0008/"
References
Related rules
- Lateral Movement via Startup Folder
- Local Account TokenFilter Policy Disabled
- Microsoft Exchange Server UM Writing Suspicious Files
- NullSessionPipe Registry Modification
- RDP Enabled via Registry