Terminal Server Client Connection History Cleared - Registry
Detects the deletion of registry keys containing the MSTSC connection history
Sigma rule (View on GitHub)
1title: Terminal Server Client Connection History Cleared - Registry
2id: 07bdd2f5-9c58-4f38-aec8-e101bb79ef8d
3status: test
4description: Detects the deletion of registry keys containing the MSTSC connection history
5references:
6 - https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer
7 - http://woshub.com/how-to-clear-rdp-connections-history/
8 - https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html
9author: Christian Burkard (Nextron Systems)
10date: 2021/10/19
11modified: 2023/02/08
12tags:
13 - attack.defense_evasion
14 - attack.t1070
15 - attack.t1112
16logsource:
17 category: registry_delete
18 product: windows
19detection:
20 selection1:
21 EventType: DeleteValue
22 TargetObject|contains: '\Microsoft\Terminal Server Client\Default\MRU'
23 selection2:
24 EventType: DeleteKey
25 TargetObject|contains: '\Microsoft\Terminal Server Client\Servers\'
26 condition: 1 of selection*
27falsepositives:
28 - Unknown
29level: high
References
-
-
The built-in Windows Remote Desktop Connection client (mstsc.exe) saves the remote computer name (or IP address) and the username that is used to log in after each successful connection to…
Read More -
In this blog entry, we’d like to highlight our findings on Vice Society, which includes an end-to-end infection diagram that we were able to create using Trend Micro internal telemetry.
Read More
Related rules
- New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE
- NetNTLM Downgrade Attack
- Remove Exported Mailbox from Exchange Webserver
- Enable WDigest using PowerShell (ps_module)
- Clearing Windows Console History