RDP Sensitive Settings Changed to Zero
Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.
Sigma rule (View on GitHub)
1title: RDP Sensitive Settings Changed to Zero
2id: a2863fbc-d5cb-48d5-83fb-d976d4b1743b
3related:
4 - id: 3f6b7b62-61aa-45db-96bd-9c31b36b653c
5 type: similar
6 - id: 4b8f6d3a-9c5e-4f2a-a7d8-6b9c3e5f2a8d
7 type: similar
8status: test
9description: |
10 Detects tampering of RDP Terminal Service/Server sensitive settings.
11 Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.
12references:
13 - https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html # Related to RDP hijacking via the "ServiceDll" key
14 - http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/ # Related to the Shadow RPD technique
15 - https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03 # Related to the Shadow RPD technique
16 - https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html
17 - https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/
18 - http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ # Contain description for most of the keys mentioned here (check it out if you want more information
19 - https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services # Contain description for most of the keys mentioned here (check it out if you want more information)
20author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali
21date: 2022-09-29
22modified: 2022-11-26
23tags:
24 - attack.defense-evasion
25 - attack.persistence
26 - attack.t1112
27logsource:
28 category: registry_set
29 product: windows
30detection:
31 selection:
32 TargetObject|endswith:
33 - '\fDenyTSConnections' # Specifies whether Remote Desktop connections are enabled - When set to zero RDP is enabled
34 - '\fSingleSessionPerUser' # When changed to 0 it allows multiple RDP sessions
35 - '\UserAuthentication' # Specifies that Network-Level user authentication is not required before the remote desktop connection is established
36 Details: 'DWORD (0x00000000)'
37 condition: selection
38falsepositives:
39 - Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)
40level: medium
References
-
RDPWrapp is a legit third party utility that enable multiple simultaneous RDP session on non Windows Servers, which is something an attacke...
Read More -
Shadow session mode allows RDS administrators to view and interact with the user’s desktop. Remote Desktop Shadowing mode works on all modern versions of Windows starting from Windows Server 2012…
Read More -
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More -
Offensive Tradecraft Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. There are several setti...
Read More -
-
Essential Online Tools for Software Developers In the fast-paced world of software development, efficiency is key. Developers are constantly looking for ways to streamline their workflows, automate...
Read More
Related rules
- Office Macros Warning Disabled
- Trust Access Disable For VBApplications
- Potential Ursnif Malware Activity - Registry
- Modification of IE Registry Settings
- Blue Mockingbird - Registry