Potential Remote Desktop Shadowing Activity
Identifies the modification of the Remote Desktop Protocol (RDP) Shadow registry or the execution of processes indicative of an active RDP shadowing session. An adversary may abuse the RDP Shadowing feature to spy on or control other users active RDP sessions.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/04/12"
3integration = ["endpoint", "windows"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the modification of the Remote Desktop Protocol (RDP) Shadow registry or the execution of processes
13indicative of an active RDP shadowing session. An adversary may abuse the RDP Shadowing feature to spy on or control
14other users active RDP sessions.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Potential Remote Desktop Shadowing Activity"
21note = """## Setup
22
23If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
24"""
25references = [
26 "https://bitsadm.in/blog/spying-on-users-using-rdp-shadowing",
27 "https://swarm.ptsecurity.com/remote-desktop-services-shadowing/",
28]
29risk_score = 73
30rule_id = "c57f8579-e2a5-4804-847f-f2732edc5156"
31severity = "high"
32tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
33timestamp_override = "event.ingested"
34type = "eql"
35
36query = '''
37/* Identifies the modification of RDP Shadow registry or
38 the execution of processes indicative of active shadow RDP session */
39
40any where host.os.type == "windows" and
41(
42 (event.category == "registry" and
43 registry.path : (
44 "HKLM\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services\\Shadow",
45 "\\REGISTRY\\MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services\\Shadow"
46 )
47 ) or
48 (event.category == "process" and event.type == "start" and
49 (process.name : ("RdpSaUacHelper.exe", "RdpSaProxy.exe") and process.parent.name : "svchost.exe") or
50 (process.pe.original_file_name : "mstsc.exe" and process.args : "/shadow:*")
51 )
52)
53'''
54
55
56[[rule.threat]]
57framework = "MITRE ATT&CK"
58[[rule.threat.technique]]
59id = "T1021"
60name = "Remote Services"
61reference = "https://attack.mitre.org/techniques/T1021/"
62
63
64[rule.threat.tactic]
65id = "TA0008"
66name = "Lateral Movement"
67reference = "https://attack.mitre.org/tactics/TA0008/"
Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define event.ingested and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate event.ingested to @timestamp for this rule to work.
References
-
-
From time to time in certain situations one needs to have a possibility to view a customer’s user screen to make some proofed screenshots or to get access to an open GUI application window which contains secrets for lateral movement while the legitimate user is connected via RDP and you don’t want to kick them […]
Read More
Related rules
- Execution via TSClient Mountpoint
- Lateral Movement via Startup Folder
- Mounting Hidden or WebDav Remote Shares
- NullSessionPipe Registry Modification
- RDP Enabled via Registry