Allow RDP Remote Assistance Feature
Detect enable rdp feature to allow specific user to rdp connect on the targeted machine
Sigma rule (View on GitHub)
1title: Allow RDP Remote Assistance Feature
2id: 37b437cf-3fc5-4c8e-9c94-1d7c9aff842b
3status: test
4description: Detect enable rdp feature to allow specific user to rdp connect on the targeted machine
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
7author: frack113
8date: 2022-08-19
9modified: 2023-08-17
10tags:
11 - attack.persistence
12 - attack.defense-evasion
13 - attack.t1112
14logsource:
15 category: registry_set
16 product: windows
17detection:
18 selection:
19 TargetObject|endswith: 'System\CurrentControlSet\Control\Terminal Server\fAllowToGetHelp'
20 Details: DWORD (0x00000001)
21 condition: selection
22falsepositives:
23 - Legitimate use of the feature (alerts should be investigated either way)
24level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Activate Suppression of Windows Security Center Notifications
- Add DisallowRun Execution to Registry
- Blackbyte Ransomware Registry
- Blue Mockingbird
- Blue Mockingbird - Registry