legitimate system administrators enabling rdp for remote support

t1021
t1021.001
t1047
windows
sigma

Techniques

t1021
t1021.001
t1047

Sample rules

RDP Enable or Disable via Win32_TerminalServiceSetting WMI Class

source: sigma
technicques:
- t1021
- t1021.001
- t1047

Description

Detects enabling or disabling of Remote Desktop Protocol (RDP) using alternate methods such as WMIC or PowerShell. In PowerShell one-liner commands, the “SetAllowTSConnections” method of the “Win32_TerminalServiceSetting” class may be used to enable or disable RDP. In WMIC, the “rdtoggle” alias or “Win32_TerminalServiceSetting” class may be used for the same purpose.

Detection logic

condition: all of selection_*
selection_cli_method:
  CommandLine|contains:
  - rdtoggle
  - Win32_TerminalServiceSetting
selection_cli_property:
  CommandLine|contains: SetAllowTSConnections
selection_img:
- Image|endswith:
  - \wmic.exe
  - \powershell.exe
  - \pwsh.exe
- OriginalFileName:
  - wmic.exe
  - PowerShell.EXE
  - pwsh.dll