Winlogon AllowMultipleTSSessions Enable
Detects when the 'AllowMultipleTSSessions' value is enabled. Which allows for multiple Remote Desktop connection sessions to be opened at once. This is often used by attacker as a way to connect to an RDP session without disconnecting the other users
Sigma rule (View on GitHub)
1title: Winlogon AllowMultipleTSSessions Enable
2id: f7997770-92c3-4ec9-b112-774c4ef96f96
3status: experimental
4description: |
5 Detects when the 'AllowMultipleTSSessions' value is enabled.
6 Which allows for multiple Remote Desktop connection sessions to be opened at once.
7 This is often used by attacker as a way to connect to an RDP session without disconnecting the other users
8references:
9 - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022/09/09
12modified: 2023/08/17
13tags:
14 - attack.persistence
15 - attack.defense_evasion
16 - attack.t1112
17logsource:
18 category: registry_set
19 product: windows
20detection:
21 selection:
22 TargetObject|endswith: '\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions'
23 Details|endswith: DWORD (0x00000001)
24 condition: selection
25falsepositives:
26 - Legitimate use of the multi session functionality
27level: medium
References
Related rules
- OilRig APT Activity
- OilRig APT Schedule Task Persistence - Security
- Potential Persistence Via Event Viewer Events.asp
- OilRig APT Registry Persistence
- Activate Suppression of Windows Security Center Notifications