Potential Remote Desktop Shadowing Activity
Identifies the modification of the Remote Desktop Protocol (RDP) Shadow registry or the execution of processes indicative of an active RDP shadowing session. An adversary may abuse the RDP Shadowing feature to spy on or control other users active RDP sessions.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/04/12"
3integration = ["endpoint", "windows"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/04/08"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the modification of the Remote Desktop Protocol (RDP) Shadow registry or the execution of processes
13indicative of an active RDP shadowing session. An adversary may abuse the RDP Shadowing feature to spy on or control
14other users active RDP sessions.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.process-*", "logs-endpoint.events.registry-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Potential Remote Desktop Shadowing Activity"
21references = [
22 "https://bitsadm.in/blog/spying-on-users-using-rdp-shadowing",
23 "https://swarm.ptsecurity.com/remote-desktop-services-shadowing/",
24]
25risk_score = 73
26rule_id = "c57f8579-e2a5-4804-847f-f2732edc5156"
27setup = """## Setup
28
29If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
30events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
31Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
32`event.ingested` to @timestamp.
33For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
34"""
35severity = "high"
36tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"]
37timestamp_override = "event.ingested"
38type = "eql"
39
40query = '''
41/* Identifies the modification of RDP Shadow registry or
42 the execution of processes indicative of active shadow RDP session */
43
44any where host.os.type == "windows" and
45(
46 (event.category == "registry" and
47 registry.path : (
48 "HKLM\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services\\Shadow",
49 "\\REGISTRY\\MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services\\Shadow"
50 )
51 ) or
52 (event.category == "process" and event.type == "start" and
53 (process.name : ("RdpSaUacHelper.exe", "RdpSaProxy.exe") and process.parent.name : "svchost.exe") or
54 (process.pe.original_file_name : "mstsc.exe" and process.args : "/shadow:*")
55 )
56)
57'''
58
59
60[[rule.threat]]
61framework = "MITRE ATT&CK"
62[[rule.threat.technique]]
63id = "T1021"
64name = "Remote Services"
65reference = "https://attack.mitre.org/techniques/T1021/"
66
67[[rule.threat.technique.subtechnique]]
68id = "T1021.001"
69name = "Remote Desktop Protocol"
70reference = "https://attack.mitre.org/techniques/T1021/001/"
71
72[rule.threat.tactic]
73id = "TA0008"
74name = "Lateral Movement"
75reference = "https://attack.mitre.org/tactics/TA0008/"
References
-
-
From time to time in certain situations one needs to have a possibility to view a customer’s user screen to make some proofed screenshots or to get access to an open GUI application window which contains secrets for lateral movement while the legitimate user is connected via RDP and you don’t want to kick them […]
Read More
Related rules
- Lateral Movement via Startup Folder
- Local Account TokenFilter Policy Disabled
- Microsoft Exchange Server UM Writing Suspicious Files
- NullSessionPipe Registry Modification
- RDP Enabled via Registry