RDP Sensitive Settings Changed to Zero
Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.
Sigma rule (View on GitHub)
1title: RDP Sensitive Settings Changed to Zero
2id: a2863fbc-d5cb-48d5-83fb-d976d4b1743b
3related:
4 - id: 3f6b7b62-61aa-45db-96bd-9c31b36b653c
5 type: similar
6status: test
7description: |
8 Detects tampering of RDP Terminal Service/Server sensitive settings.
9 Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.
10references:
11 - https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html # Related to RDP hijacking via the "ServiceDll" key
12 - http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/ # Related to the Shadow RPD technique
13 - https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03 # Related to the Shadow RPD technique
14 - https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html
15 - https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/
16 - http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ # Contain description for most of the keys mentioned here (check it out if you want more information
17 - https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services # Contain description for most of the keys mentioned here (check it out if you want more information)
18author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali
19date: 2022-09-29
20modified: 2022-11-26
21tags:
22 - attack.defense-evasion
23 - attack.persistence
24 - attack.t1112
25logsource:
26 category: registry_set
27 product: windows
28detection:
29 selection:
30 TargetObject|endswith:
31 - '\fDenyTSConnections' # Specifies whether Remote Desktop connections are enabled - When set to zero RDP is enabled
32 - '\fSingleSessionPerUser' # When changed to 0 it allows multiple RDP sessions
33 - '\UserAuthentication' # Specifies that Network-Level user authentication is not required before the remote desktop connection is established
34 Details: 'DWORD (0x00000000)'
35 condition: selection
36falsepositives:
37 - Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)
38level: medium
References
Related rules
- CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry
- OilRig APT Activity
- OilRig APT Registry Persistence
- OilRig APT Schedule Task Persistence - Security
- OilRig APT Schedule Task Persistence - System