RDP Enable or Disable via Win32_TerminalServiceSetting WMI Class
Detects enabling or disabling of Remote Desktop Protocol (RDP) using alternate methods such as WMIC or PowerShell. In PowerShell one-liner commands, the "SetAllowTSConnections" method of the "Win32_TerminalServiceSetting" class may be used to enable or disable RDP. In WMIC, the "rdtoggle" alias or "Win32_TerminalServiceSetting" class may be used for the same purpose.
Sigma rule (View on GitHub)
1title: RDP Enable or Disable via Win32_TerminalServiceSetting WMI Class
2id: 4b8f6d3a-9c5e-4f2a-a7d8-6b9c3e5f2a8d
3related:
4 - id: a2863fbc-d5cb-48d5-83fb-d976d4b1743b
5 type: similar
6status: experimental
7description: |
8 Detects enabling or disabling of Remote Desktop Protocol (RDP) using alternate methods such as WMIC or PowerShell.
9 In PowerShell one-liner commands, the "SetAllowTSConnections" method of the "Win32_TerminalServiceSetting" class may be used to enable or disable RDP.
10 In WMIC, the "rdtoggle" alias or "Win32_TerminalServiceSetting" class may be used for the same purpose.
11references:
12 - https://www.trendmicro.com/en_gb/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html
13 - https://github.com/HackTricks-wiki/hacktricks/blob/72f20a3fa26775b932bd819f1824c6377802a768/src/windows-hardening/basic-cmd-for-pentesters.md#firewall
14 - https://github.com/Lifailon/RSA/blob/rsa/Sources/RSA-1.4.1.ps1#L1468
15author: Daniel Koifman (KoifSec), Swachchhanda Shrawan Poudel (Nextron Systems)
16date: 2025-11-15
17tags:
18 - attack.lateral-movement
19 - attack.t1021.001
20 - attack.execution
21 - attack.t1047
22logsource:
23 category: process_creation
24 product: windows
25detection:
26 selection_img:
27 - Image|endswith:
28 - '\wmic.exe'
29 - '\powershell.exe'
30 - '\pwsh.exe'
31 - OriginalFileName:
32 - 'wmic.exe'
33 - 'PowerShell.EXE'
34 - 'pwsh.dll'
35 selection_cli_method:
36 CommandLine|contains:
37 - 'rdtoggle'
38 - 'Win32_TerminalServiceSetting'
39 selection_cli_property:
40 CommandLine|contains: 'SetAllowTSConnections'
41 condition: all of selection_*
42falsepositives:
43 - Legitimate system administrators enabling RDP for remote support
44 - System configuration scripts during deployment
45level: medium
References
-
Investigation and analysis We observed a VBScript file named %PUBLIC%\gfghhjhyuq.vbs executed through sqlservr.exe. This led us to suspect that the device had been exploited through a vulnerability...
Read More -
Welcome to the page where you will find each trick/technique/whatever I have learnt in CTFs, real life apps, and reading researches and news. - HackTricks-wiki/hacktricks
Read More -
GUI program for connecting to ongoing RDP and RDS sessions as well as for remote administration and automation of Windows systems. - Lifailon/RSA
Read More
Related rules
- Remote DCOM/WMI Lateral Movement
- Wmiexec Default Output File
- Hermetic Wiper TG Process Patterns
- PSExec and WMI Process Creations Block
- T1047 Wmiprvse Wbemcomn DLL Hijack