RDP Sensitive Settings Changed
Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc
Sigma rule (View on GitHub)
1title: RDP Sensitive Settings Changed
2id: 3f6b7b62-61aa-45db-96bd-9c31b36b653c
3related:
4 - id: 171b67e1-74b4-460e-8d55-b331f3e32d67
5 type: obsoletes
6 - id: 41904ebe-d56c-4904-b9ad-7a77bdf154b3
7 type: obsoletes
8 - id: a2863fbc-d5cb-48d5-83fb-d976d4b1743b
9 type: similar
10status: test
11description: |
12 Detects tampering of RDP Terminal Service/Server sensitive settings.
13 Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc
14references:
15 - https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html # Related to RDP hijacking via the "ServiceDll" key
16 - http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/ # Related to the Shadow RPD technique
17 - https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03 # Related to the Shadow RPD technique
18 - https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html
19 - https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/
20 - http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ # Contain description for most of the keys mentioned here (check it out if you want more information
21 - https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services # Contain description for most of the keys mentioned here (check it out if you want more information)
22 - https://blog.sekoia.io/darkgate-internals/
23 - https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-63---disable-remote-desktop-anti-alias-setting-through-registry
24 - https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-64---disable-remote-desktop-security-settings-through-registry
25author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali
26date: 2022/08/06
27modified: 2024/02/08
28tags:
29 - attack.defense_evasion
30 - attack.persistence
31 - attack.t1112
32logsource:
33 category: registry_set
34 product: windows
35detection:
36 selection_shadow:
37 TargetObject|contains:
38 - '\Control\Terminal Server\'
39 - '\Windows NT\Terminal Services\'
40 TargetObject|endswith: '\Shadow'
41 Details:
42 - 'DWORD (0x00000001)' # Full Control with user’s permission
43 - 'DWORD (0x00000002)' # Full Control without user’s permission
44 - 'DWORD (0x00000003)' # View Session with user’s permission
45 - 'DWORD (0x00000004)' # View Session without user’s permission
46 selection_terminal_services_key:
47 TargetObject|contains:
48 - '\Control\Terminal Server\'
49 - '\Windows NT\Terminal Services\'
50 TargetObject|endswith:
51 - '\DisableRemoteDesktopAntiAlias' # Disable anti-aliasing for remote desktop (DarkGate malware)
52 - '\DisableSecuritySettings' # Disable security settings, allowing access to programs/entire desktop (DarkGate malware)
53 - '\fAllowUnsolicited' # Allow unsolicited remote assistance offers
54 - '\fAllowUnsolicitedFullControl'
55 Details: 'DWORD (0x00000001)'
56 selection_tamper_only:
57 # Any changes to these keys should be suspicious and looked at
58 TargetObject|contains:
59 - '\Control\Terminal Server\InitialProgram' # This value can be set to specify a program to run automatically when a user logs on to a remote computer.
60 - '\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram' # This value can be set to specify a program to run automatically when a user logs on to a remote computer.
61 - '\services\TermService\Parameters\ServiceDll' # RDP hijacking
62 - '\Windows NT\Terminal Services\InitialProgram' # This value can be set to specify a program to run automatically when a user logs on to a remote computer.
63 condition: selection_shadow or selection_terminal_services_key or selection_tamper_only
64falsepositives:
65 - Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)
66level: high
References
-
RDPWrapp is a legit third party utility that enable multiple simultaneous RDP session on non Windows Servers, which is something an attacke...
Read More -
Shadow session mode allows RDS administrators to view and interact with the user’s desktop. Remote Desktop Shadowing mode works on all modern versions of Windows starting from Windows Server 2012…
Read More -
-
Offensive Tradecraft Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. There are several setti...
Read More -
-
Registry Keys for Terminal Services The relevant configuration options for terminal servers, terminal server sessions, users, and clients can be found in different places in the registry. The admin...
Read More -
-
Learn how DarkGate, a malware-as-service developed in Delphi & C++, is used by threat actors for covert operations & to evade detection.
Read More -
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- RDP Sensitive Settings Changed to Zero
- OilRig APT Schedule Task Persistence - System
- Winlogon AllowMultipleTSSessions Enable
- OilRig APT Activity
- OilRig APT Schedule Task Persistence - Security