Potential Tampering With RDP Related Registry Keys Via Reg.EXE

 1title: Potential Tampering With RDP Related Registry Keys Via Reg.EXE
 2id: 0d5675be-bc88-4172-86d3-1e96a4476536
 3status: test
 4description: Detects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values
 5references:
 6    - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
 7author: pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport
 8date: 2022-02-12
 9modified: 2023-02-05
10tags:
11    - attack.defense-evasion
12    - attack.lateral-movement
13    - attack.t1021.001
14    - attack.t1112
15logsource:
16    product: windows
17    category: process_creation
18detection:
19    selection_main_img:
20        - Image|endswith: '\reg.exe'
21        - OriginalFileName: 'reg.exe'
22    selection_main_cli:
23        CommandLine|contains|all:
24            - ' add '
25            - '\CurrentControlSet\Control\Terminal Server'
26            - 'REG_DWORD'
27            - ' /f'
28    selection_values_1:
29        CommandLine|contains|all:
30            - 'Licensing Core'
31            - 'EnableConcurrentSessions'
32    selection_values_2:
33        CommandLine|contains:
34            - 'WinStations\RDP-Tcp'
35            - 'MaxInstanceCount'
36            - 'fEnableWinStation'
37            - 'TSUserEnabled'
38            - 'TSEnabled'
39            - 'TSAppCompat'
40            - 'IdleWinStationPoolCount'
41            - 'TSAdvertise'
42            - 'AllowTSConnections'
43            - 'fSingleSessionPerUser'
44            - 'fDenyTSConnections'
45    condition: all of selection_main_* and 1 of selection_values_*
46falsepositives:
47    - Unknown
48level: high