LoFP / legitimate use of the feature (alerts should be investigated either way)

Techniques

• t1112

Sample rules

Allow RDP Remote Assistance Feature

• source: sigma
• technicques:
  • t1112

Description

Detect enable rdp feature to allow specific user to rdp connect on the targeted machine

Detection logic

condition: selection
selection:
  Details: DWORD (0x00000001)
  TargetObject|endswith: System\CurrentControlSet\Control\Terminal Server\fAllowToGetHelp