Allow RDP Remote Assistance Feature
Detect enable rdp feature to allow specific user to rdp connect on the targeted machine
Sigma rule (View on GitHub)
1title: Allow RDP Remote Assistance Feature
2id: 37b437cf-3fc5-4c8e-9c94-1d7c9aff842b
3status: test
4description: Detect enable rdp feature to allow specific user to rdp connect on the targeted machine
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
7author: frack113
8date: 2022-08-19
9modified: 2023-08-17
10tags:
11 - attack.persistence
12 - attack.defense-evasion
13 - attack.t1112
14logsource:
15 category: registry_set
16 product: windows
17detection:
18 selection:
19 TargetObject|endswith: 'System\CurrentControlSet\Control\Terminal Server\fAllowToGetHelp'
20 Details: DWORD (0x00000001)
21 condition: selection
22falsepositives:
23 - Legitimate use of the feature (alerts should be investigated either way)
24level: medium
25regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature/info.yml
26simulation:
27 - type: atomic-red-team
28 name: Allow RDP Remote Assistance Feature
29 technique: T1112
30 atomic_guid: 86677d0e-0b5e-4a2b-b302-454175f9aa9e
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Disable Windows Security Center Notifications
- PowerShell Logging Disabled Via Registry Key Tampering
- Disable Security Events Logging Adding Reg Key MiniNt
- Imports Registry Key From a File
- Imports Registry Key From an ADS