Terminal Server Client Connection History Cleared - Registry
Detects the deletion of registry keys containing the MSTSC connection history
Sigma rule (View on GitHub)
1title: Terminal Server Client Connection History Cleared - Registry
2id: 07bdd2f5-9c58-4f38-aec8-e101bb79ef8d
3status: test
4description: Detects the deletion of registry keys containing the MSTSC connection history
5references:
6 - https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer
7 - http://woshub.com/how-to-clear-rdp-connections-history/
8 - https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html
9author: Christian Burkard (Nextron Systems)
10date: 2021-10-19
11modified: 2023-02-08
12tags:
13 - attack.persistence
14 - attack.defense-evasion
15 - attack.t1070
16 - attack.t1112
17logsource:
18 category: registry_delete
19 product: windows
20detection:
21 selection1:
22 EventType: DeleteValue
23 TargetObject|contains: '\Microsoft\Terminal Server Client\Default\MRU'
24 selection2:
25 EventType: DeleteKey
26 TargetObject|contains: '\Microsoft\Terminal Server Client\Servers\'
27 condition: 1 of selection*
28falsepositives:
29 - Unknown
30level: high
References
-
-
The built-in Windows Remote Desktop Connection client (mstsc.exe) saves the remote computer name (or IP address) and the username that is used to log in after each successful connection to…
Read More -
In this blog entry, we’d like to highlight our findings on Vice Society, which includes an end-to-end infection diagram that we were able to create using Trend Micro internal telemetry.
Read More
Related rules
- Activate Suppression of Windows Security Center Notifications
- Add DisallowRun Execution to Registry
- Allow RDP Remote Assistance Feature
- Blackbyte Ransomware Registry
- Blue Mockingbird