Enabling RDP service via reg.exe command execution
Detects the execution of reg.exe and subsequent command line arguments for enabling RDP service on the host
Sigma rule (View on GitHub)
1title: Enabling RDP service via reg.exe command execution
2id: ded07dbe-bcd4-4d15-a27b-1669445d3215
3status: experimental
4description: Detects the execution of reg.exe and subsequent command line arguments for enabling RDP service on the host
5author: 'Kostastsale, TheDFIRReport'
6references:
7 - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
8date: 2022-02-12
9modified: 2023-01-08
10logsource:
11 product: windows
12 category: process_creation
13detection:
14 selection1:
15 Image|endswith: '\reg.exe'
16 CommandLine|contains|all:
17 - 'add'
18 - 'HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server'
19 - 'REG_DWORD'
20 Winstations1:
21 CommandLine|contains: 'WinStations\RDP-Tcp'
22 Winstations2:
23 CommandLine|contains:
24 - 'MaxInstanceCount'
25 - 'fEnableWinStation'
26 selection2:
27 CommandLine|contains|all:
28 - 'Licensing Core'
29 - 'EnableConcurrentSessions'
30 selection3:
31 CommandLine|contains:
32 - 'TSUserEnabled'
33 - 'TSEnabled'
34 - 'TSAppCompat'
35 - 'IdleWinStationPoolCount'
36 - 'TSAdvertise'
37 - 'AllowTSConnections'
38 - 'fSingleSessionPerUser'
39 condition: selection1 and ((Winstations1 and Winstations2) or (selection2 or selection3))
40falsepositives:
41 - Unknown
42level: high
43tags:
44 - attack.defense-evasion
45 - attack.lateral-movement
46 - attack.t1021.001
47 - attack.t1112
References
-
In this intrusion (from November 2021), a threat actor gained its initial foothold in the environment through the use of Qbot (a.k.a. Quakbot/Qakbot) malware. Soon after execution of the Qbot paylo…
Read More
Related rules
- RDP over Reverse SSH Tunnel WFP
- Enable WDigest using PowerShell
- Enable WDigest using PowerShell (ps_module)
- Potential Raspberry Robin Registry Set Internet Settings ZoneMap
- Bitbucket Global SSH Settings Changed