Techniques
Sample rules
Winlogon AllowMultipleTSSessions Enable
- source: sigma
- technicques:
- t1112
Description
Detects when the ‘AllowMultipleTSSessions’ value is enabled. Which allows for multiple Remote Desktop connection sessions to be opened at once. This is often used by attacker as a way to connect to an RDP session without disconnecting the other users
Detection logic
condition: selection
selection:
Details|endswith: DWORD (0x00000001)
TargetObject|endswith: \Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions