Terminal Server Client Connection History Cleared - Registry
Detects the deletion of registry keys containing the MSTSC connection history
Sigma rule (View on GitHub)
1title: Terminal Server Client Connection History Cleared - Registry
2id: 07bdd2f5-9c58-4f38-aec8-e101bb79ef8d
3status: test
4description: Detects the deletion of registry keys containing the MSTSC connection history
5references:
6 - https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer
7 - http://woshub.com/how-to-clear-rdp-connections-history/
8 - https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html
9author: Christian Burkard (Nextron Systems)
10date: 2021-10-19
11modified: 2023-02-08
12tags:
13 - attack.defense-evasion
14 - attack.t1070
15 - attack.t1112
16logsource:
17 category: registry_delete
18 product: windows
19detection:
20 selection1:
21 EventType: DeleteValue
22 TargetObject|contains: '\Microsoft\Terminal Server Client\Default\MRU'
23 selection2:
24 EventType: DeleteKey
25 TargetObject|contains: '\Microsoft\Terminal Server Client\Servers\'
26 condition: 1 of selection*
27falsepositives:
28 - Unknown
29level: high
References
-
-
The built-in Windows Remote Desktop Connection client (mstsc.exe) saves the remote computer name (or IP address) and the username that is used to log in after each successful connection to…
Read More -
In this blog entry, we’d like to highlight our findings on Vice Society, which includes an end-to-end infection diagram that we were able to create using Trend Micro internal telemetry.
Read More
Related rules
- Activate Suppression of Windows Security Center Notifications
- Add DisallowRun Execution to Registry
- Allow RDP Remote Assistance Feature
- Blackbyte Ransomware Registry
- CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry