Winlogon AllowMultipleTSSessions Enable
Detects when the 'AllowMultipleTSSessions' value is enabled. Which allows for multiple Remote Desktop connection sessions to be opened at once. This is often used by attacker as a way to connect to an RDP session without disconnecting the other users
Sigma rule (View on GitHub)
1title: Winlogon AllowMultipleTSSessions Enable
2id: f7997770-92c3-4ec9-b112-774c4ef96f96
3status: test
4description: |
5 Detects when the 'AllowMultipleTSSessions' value is enabled.
6 Which allows for multiple Remote Desktop connection sessions to be opened at once.
7 This is often used by attacker as a way to connect to an RDP session without disconnecting the other users
8references:
9 - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022-09-09
12modified: 2023-08-17
13tags:
14 - attack.persistence
15 - attack.defense-evasion
16 - attack.t1112
17logsource:
18 category: registry_set
19 product: windows
20detection:
21 selection:
22 TargetObject|endswith: '\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions'
23 Details|endswith: DWORD (0x00000001)
24 condition: selection
25falsepositives:
26 - Legitimate use of the multi session functionality
27level: medium
References
-
Cisco Talos assesses with high confidence these attacks have been conducted by the North Korean state-sponsored threat actor Lazarus Group.
Read More
Related rules
- CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry
- OilRig APT Activity
- OilRig APT Registry Persistence
- OilRig APT Schedule Task Persistence - Security
- OilRig APT Schedule Task Persistence - System