RDP Sensitive Settings Changed

 1title: RDP Sensitive Settings Changed
 2id: 3f6b7b62-61aa-45db-96bd-9c31b36b653c
 3related:
 4    - id: 171b67e1-74b4-460e-8d55-b331f3e32d67
 5      type: obsoletes
 6    - id: 41904ebe-d56c-4904-b9ad-7a77bdf154b3
 7      type: obsoletes
 8    - id: a2863fbc-d5cb-48d5-83fb-d976d4b1743b
 9      type: similar
10status: test
11description: |
12    Detects tampering of RDP Terminal Service/Server sensitive settings.
13    Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc    
14references:
15    - https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html # Related to RDP hijacking via the "ServiceDll" key
16    - http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/ # Related to the Shadow RPD technique
17    - https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03 # Related to the Shadow RPD technique
18    - https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html
19    - https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/
20    - http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ # Contain description for most of the keys mentioned here (check it out if you want more information
21    - https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services # Contain description for most of the keys mentioned here (check it out if you want more information)
22author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali
23date: 2022/08/06
24modified: 2023/08/17
25tags:
26    - attack.defense_evasion
27    - attack.persistence
28    - attack.t1112
29logsource:
30    category: registry_set
31    product: windows
32detection:
33    selection_shadow:
34        TargetObject|contains:
35            - 'SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\'
36            - '\Control\Terminal Server\'
37        TargetObject|endswith: '\Shadow'
38        Details:
39            - 'DWORD (0x00000001)' # Full Control with user’s permission
40            - 'DWORD (0x00000002)' # Full Control without user’s permission
41            - 'DWORD (0x00000003)' # View Session with user’s permission
42            - 'DWORD (0x00000004)' # View Session without user’s permission
43    selection_terminal_services_key:
44        TargetObject|contains:
45            - '\Control\Terminal Server\'
46            - 'SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\'
47    selection_terminal_services_values:
48        TargetObject|endswith:
49            - '\fAllowUnsolicited' # Allow unsolicited remote assistance offers
50            - '\fAllowUnsolicitedFullControl'
51        Details: 'DWORD (0x00000001)'
52    selection_tamper_only:
53        # Any changes to these keys should be suspicious and looked at
54        TargetObject|contains:
55            - '\services\TermService\Parameters\ServiceDll' # RDP hijacking
56            - '\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram' # This value can be set to specify a program to run automatically when a user logs on to a remote computer.
57            - '\Control\Terminal Server\InitialProgram' # This value can be set to specify a program to run automatically when a user logs on to a remote computer.
58            - 'SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\InitialProgram' # This value can be set to specify a program to run automatically when a user logs on to a remote computer.
59    condition: selection_shadow or (selection_terminal_services_key and selection_terminal_services_values) or selection_tamper_only
60falsepositives:
61    - Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)
62level: high

References

• https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html

  
  Read More

• How to Shadow (Remote Control) a User’s RDP session on RDS Windows Server 2016/2019? | Windows OS Hub

  

  Shadow session mode allows RDS administrators to view and interact with the user’s desktop. Remote Desktop Shadowing mode works on all modern versions of Windows starting from Windows Server 2012…

  
  Read More

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• Registry Modification to Enable Remote Desktop Conections — Threat Hunter Playbook

  Offensive Tradecraft Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. There are several setti...

  
  Read More

• MalwareBazaar | Browse Checking your browser

  Please confirm that you are not a robot by clicking on the checkbox below

  
  Read More

• Registry Keys for Terminal Services :: Chapter 6: Registry :: Microsoft Windows Server 2003 Terminal Services :: Microsoft Products :: eTutorials.org

  Registry Keys for Terminal Services The relevant configuration options for terminal servers, terminal server sessions, users, and clients can be found in different places in the registry. The admin...

  
  Read More

• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services

  Search in Group Policy Administrative Templates

  
  Read More

Related rules

• Suspicious New Printer Ports in Registry (CVE-2020-1048)
• Winlogon AllowMultipleTSSessions Enable
• OilRig APT Activity
• OilRig APT Schedule Task Persistence - Security
• OilRig APT Schedule Task Persistence - System