Winlogon AllowMultipleTSSessions Enable

Detects when the 'AllowMultipleTSSessions' value is enabled. Which allows for multiple Remote Desktop connection sessions to be opened at once. This is often used by attacker as a way to connect to an RDP session without disconnecting the other users

Sigma rule (View on GitHub)

 1title: Winlogon AllowMultipleTSSessions Enable
 2id: f7997770-92c3-4ec9-b112-774c4ef96f96
 3status: experimental
 4description: |
 5  Detects when the 'AllowMultipleTSSessions' value is enabled.
 6  Which allows for multiple Remote Desktop connection sessions to be opened at once.
 7  This is often used by attacker as a way to connect to an RDP session without disconnecting the other users  
 8references:
 9    - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022/09/09
12modified: 2023/08/17
13tags:
14    - attack.persistence
15    - attack.defense_evasion
16    - attack.t1112
17logsource:
18    category: registry_set
19    product: windows
20detection:
21    selection:
22        TargetObject|endswith: '\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions'
23        Details|endswith: DWORD (0x00000001)
24    condition: selection
25falsepositives:
26    - Legitimate use of the multi session functionality
27level: medium

References

Related rules

to-top