Enabling RDP service via reg.exe command execution
Detects the execution of reg.exe and subsequent command line arguments for enabling RDP service on the host
Sigma rule (View on GitHub)
1title: Enabling RDP service via reg.exe command execution
2id: ded07dbe-bcd4-4d15-a27b-1669445d3215
3status: experimental
4description: Detects the execution of reg.exe and subsequent command line arguments for enabling RDP service on the host
5author: 'Kostastsale, TheDFIRReport'
6references:
7 - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
8date: 2022/02/12
9modified: 2023/01/08
10logsource:
11 product: windows
12 category: process_creation
13detection:
14 selection1:
15 Image|endswith:
16 - '\reg.exe'
17 CommandLine|contains|all:
18 - 'add'
19 - 'HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server'
20 - 'REG_DWORD'
21 Winstations1:
22 CommandLine|contains:
23 - 'WinStations\RDP-Tcp'
24 Winstations2:
25 CommandLine|contains:
26 - 'MaxInstanceCount'
27 - 'fEnableWinStation'
28 selection2:
29 CommandLine|contains|all:
30 - 'Licensing Core'
31 - 'EnableConcurrentSessions'
32 selection3:
33 CommandLine|contains:
34 - 'TSUserEnabled'
35 - 'TSEnabled'
36 - 'TSAppCompat'
37 - 'IdleWinStationPoolCount'
38 - 'TSAdvertise'
39 - 'AllowTSConnections'
40 - 'fSingleSessionPerUser'
41 condition: selection1 and ((Winstations1 and Winstations2) or (selection2 or selection3))
42falsepositives:
43 - Unknown
44level: high
45tags:
46 - attack.defense_evasion
47 - attack.lateral_movement
48 - attack.t1021.001
49 - attack.t1112
References
-
In this intrusion (from November 2021), a threat actor gained its initial foothold in the environment through the use of QBot (a.k.a. Quakbot/Qakbot) malware.
Read More
Related rules
- Potential Tampering With RDP Related Registry Keys Via Reg.EXE
- RDP over Reverse SSH Tunnel WFP
- Enable WDigest using PowerShell
- Outbound RDP Connections Over Non-Standard Tools
- RDP Sensitive Settings Changed