Potential Tampering With RDP Related Registry Keys Via Reg.EXE

 1title: Potential Tampering With RDP Related Registry Keys Via Reg.EXE
 2id: 0d5675be-bc88-4172-86d3-1e96a4476536
 3status: test
 4description: Detects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values
 5references:
 6    - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
 7author: pH-T (Nextron Systems), @Kostastsale, TheDFIRReport
 8date: 2022-02-12
 9modified: 2023-02-05
10tags:
11    - attack.persistence
12    - attack.defense-evasion
13    - attack.lateral-movement
14    - attack.t1021.001
15    - attack.t1112
16logsource:
17    product: windows
18    category: process_creation
19detection:
20    selection_main_img:
21        - Image|endswith: '\reg.exe'
22        - OriginalFileName: 'reg.exe'
23    selection_main_cli:
24        CommandLine|contains|all:
25            - ' add '
26            - '\CurrentControlSet\Control\Terminal Server'
27            - 'REG_DWORD'
28            - ' /f'
29    selection_values_1:
30        CommandLine|contains|all:
31            - 'Licensing Core'
32            - 'EnableConcurrentSessions'
33    selection_values_2:
34        CommandLine|contains:
35            - 'WinStations\RDP-Tcp'
36            - 'MaxInstanceCount'
37            - 'fEnableWinStation'
38            - 'TSUserEnabled'
39            - 'TSEnabled'
40            - 'TSAppCompat'
41            - 'IdleWinStationPoolCount'
42            - 'TSAdvertise'
43            - 'AllowTSConnections'
44            - 'fSingleSessionPerUser'
45            - 'fDenyTSConnections'
46    condition: all of selection_main_* and 1 of selection_values_*
47falsepositives:
48    - Unknown
49level: high