Enabling RDP service via reg.exe command execution
Detects the execution of reg.exe and subsequent command line arguments for enabling RDP service on the host
Sigma rule (View on GitHub)
1title: Enabling RDP service via reg.exe command execution
2id: afed5f7a-362a-46c2-8cc3-38a2e96b07b1
3status: Experimental
4description: Detects the execution of reg.exe and subsequent command line arguments for enabling RDP service on the host
5author: '@Kostastsale, @TheDFIRReport'
6references:
7 - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
8date: 2022/02/12
9logsource:
10 product: windows
11 category: process_creation
12detection:
13 selection1:
14 Image|endswith:
15 - '\reg.exe'
16 CommandLine|contains|all:
17 - 'add'
18 - 'HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server'
19 - 'REG_DWORD'
20 Winstations1:
21 CommandLine|contains:
22 - 'WinStations\RDP-Tcp'
23 Winstations2:
24 CommandLine|contains:
25 - 'MaxInstanceCount'
26 - 'fEnableWinStation'
27 selection2:
28 CommandLine|contains|all:
29 - 'Licensing Core'
30 - 'EnableConcurrentSessions'
31 selection3:
32 CommandLine|contains:
33 - 'TSUserEnabled'
34 - 'TSEnabled'
35 - 'TSAppCompat'
36 - 'IdleWinStationPoolCount'
37 - 'TSAdvertise'
38 - 'AllowTSConnections'
39 - 'fSingleSessionPerUser'
40 condition: selection1 and ((Winstations1 and Winstations2) or (selection2 or selection3))
41falsepositives:
42 - Uknown
43level: high
44tags:
45 - attack.defense_evasion
46 - attack.lateral_movement
47 - attack.t1021.001
48 - attack.t1112```
References
-
In this intrusion (from November 2021), a threat actor gained its initial foothold in the environment through the use of Qbot (a.k.a. Quakbot/Qakbot) malware. Soon after execution of the Qbot paylo…
Read More
Related rules
- Enabling RDP service via reg.exe command execution
- Enable WDigest using PowerShell
- Enable WDigest using PowerShell (ps_module)
- Abuse of the Windows Server Update Services (WSUS) for lateral movement.
- Deleting Windows Defender scheduled tasks