Potential Remote Desktop Shadowing Activity

  1[metadata]
  2creation_date = "2021/04/12"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies the modification of the Remote Desktop Protocol (RDP) Shadow registry or the execution of processes
 13indicative of an active RDP shadowing session. An adversary may abuse the RDP Shadowing feature to spy on or control
 14other users active RDP sessions.
 15"""
 16from = "now-9m"
 17index = [
 18    "logs-endpoint.events.process-*",
 19    "logs-endpoint.events.registry-*",
 20    "winlogbeat-*",
 21    "logs-windows.sysmon_operational-*",
 22    "endgame-*",
 23    "logs-m365_defender.event-*",
 24    "logs-sentinel_one_cloud_funnel.*",
 25]
 26language = "eql"
 27license = "Elastic License v2"
 28name = "Potential Remote Desktop Shadowing Activity"
 29references = [
 30    "https://bitsadm.in/blog/spying-on-users-using-rdp-shadowing",
 31    "https://swarm.ptsecurity.com/remote-desktop-services-shadowing/",
 32]
 33risk_score = 73
 34rule_id = "c57f8579-e2a5-4804-847f-f2732edc5156"
 35severity = "high"
 36tags = [
 37    "Domain: Endpoint",
 38    "OS: Windows",
 39    "Use Case: Threat Detection",
 40    "Tactic: Lateral Movement",
 41    "Data Source: Elastic Endgame",
 42    "Data Source: Elastic Defend",
 43    "Data Source: Sysmon",
 44    "Data Source: Microsoft Defender for Endpoint",
 45    "Data Source: SentinelOne",
 46    "Resources: Investigation Guide",
 47]
 48timestamp_override = "event.ingested"
 49type = "eql"
 50
 51query = '''
 52/* Identifies the modification of RDP Shadow registry or
 53  the execution of processes indicative of active shadow RDP session */
 54
 55any where host.os.type == "windows" and
 56(
 57  (event.category == "registry" and
 58     registry.path : (
 59      "HKLM\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services\\Shadow",
 60      "\\REGISTRY\\MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services\\Shadow",
 61      "MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services\\Shadow"
 62    )
 63  ) or
 64  (event.category == "process" and event.type == "start" and
 65     (process.name : ("RdpSaUacHelper.exe", "RdpSaProxy.exe") and process.parent.name : "svchost.exe") or
 66     (?process.pe.original_file_name : "mstsc.exe" and process.args : "/shadow:*")
 67  )
 68)
 69'''
 70note = """## Triage and analysis
 71
 72> **Disclaimer**:
 73> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 74
 75### Investigating Potential Remote Desktop Shadowing Activity
 76
 77Remote Desktop Shadowing allows administrators to view or control active RDP sessions, aiding in support and troubleshooting. However, adversaries can exploit this feature to monitor or hijack user sessions without consent. The detection rule identifies suspicious modifications to RDP Shadow registry settings and the execution of specific processes linked to shadowing, signaling potential misuse.
 78
 79### Possible investigation steps
 80
 81- Review the registry event details to confirm if there was a modification to the RDP Shadow registry path, specifically checking for changes in "HKLM\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services\\Shadow".
 82- Investigate the process events to identify if "RdpSaUacHelper.exe" or "RdpSaProxy.exe" were started by "svchost.exe", which could indicate unauthorized shadowing activity.
 83- Check for any instances of "mstsc.exe" being executed with the "/shadow:*" argument, as this could signify an attempt to shadow an RDP session.
 84- Correlate the identified processes and registry changes with user activity logs to determine if the actions were authorized or expected as part of legitimate administrative tasks.
 85- Analyze network logs for any unusual remote connections or lateral movement patterns that coincide with the timing of the detected shadowing activity.
 86- Consult endpoint security solutions like Microsoft Defender for Endpoint or SentinelOne for additional context or alerts related to the same host or user account involved in the shadowing activity.
 87
 88### False positive analysis
 89
 90- Legitimate administrative activities may trigger alerts when IT staff use RDP Shadowing for support. To manage this, create exceptions for known IT administrator accounts or specific IP addresses.
 91- Scheduled maintenance or automated scripts that modify RDP Shadow registry settings can be mistaken for malicious activity. Identify and exclude these processes or scripts from the detection rule.
 92- Security software or monitoring tools that interact with RDP sessions might mimic shadowing behavior. Verify these tools and whitelist their processes to prevent false alerts.
 93- Training sessions or remote support tools that use RDP Shadowing features can generate alerts. Document and exclude these activities by identifying their unique process names or arguments.
 94
 95### Response and remediation
 96
 97- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement.
 98- Terminate any suspicious processes identified in the alert, such as RdpSaUacHelper.exe, RdpSaProxy.exe, or mstsc.exe with shadowing arguments, to stop potential session hijacking.
 99- Revert any unauthorized changes to the RDP Shadow registry settings to their default or secure state to prevent further exploitation.
100- Conduct a thorough review of user accounts and permissions on the affected system to ensure no unauthorized changes have been made, and reset passwords for any compromised accounts.
101- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
102- Implement enhanced monitoring and logging for RDP activities across the network to detect and respond to similar threats more quickly in the future.
103- Review and update RDP access policies and configurations to ensure they align with best practices, such as enforcing multi-factor authentication and limiting RDP access to only necessary users and systems."""
104
105
106[[rule.threat]]
107framework = "MITRE ATT&CK"
108[[rule.threat.technique]]
109id = "T1021"
110name = "Remote Services"
111reference = "https://attack.mitre.org/techniques/T1021/"
112[[rule.threat.technique.subtechnique]]
113id = "T1021.001"
114name = "Remote Desktop Protocol"
115reference = "https://attack.mitre.org/techniques/T1021/001/"
116
117
118
119[rule.threat.tactic]
120id = "TA0008"
121name = "Lateral Movement"
122reference = "https://attack.mitre.org/tactics/TA0008/"