LoFP / some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)

Techniques

• t1112

Sample rules

RDP Sensitive Settings Changed to Zero

• source: sigma
• technicques:
  • t1112

Description

Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the ‘fAllowUnsolicited’ or enabling RDP via ‘fDenyTSConnections’, etc.

Detection logic

condition: selection
selection:
  Details: DWORD (0x00000000)
  TargetObject|endswith:
  - \fDenyTSConnections
  - \fSingleSessionPerUser
  - \UserAuthentication

RDP Sensitive Settings Changed

• source: sigma
• technicques:
  • t1112

Description

Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the ‘fAllowUnsolicited’ or enabling RDP via ‘fDenyTSConnections’, etc.

Below is a list of registry keys/values that are monitored by this rule:

• Shadow: Used to enable Remote Desktop shadowing, which allows an administrator to view or control a user’s session.
• DisableRemoteDesktopAntiAlias: Disables anti-aliasing for remote desktop sessions.
• DisableSecuritySettings: Disables certain security settings for Remote Desktop connections.
• fAllowUnsolicited: Allows unsolicited remote assistance offers.
• fAllowUnsolicitedFullControl: Allows unsolicited remote assistance offers with full control.
• InitialProgram: Specifies a program to run automatically when a user logs on to a remote computer.
• ServiceDll: Used in RDP hijacking techniques to specify a custom DLL to be loaded by the Terminal Services service.
• SecurityLayer: Specifies the security layer used for RDP connections.

Detection logic

condition: (selection_shadow or selection_terminal_services_key or selection_tamper_only)
  and not 1 of filter_main_*
filter_main_securitylayer_tls:
  Details: DWORD (0x00000002)
  TargetObject|endswith: \SecurityLayer
selection_shadow:
  Details:
  - DWORD (0x00000001)
  - DWORD (0x00000002)
  - DWORD (0x00000003)
  - DWORD (0x00000004)
  TargetObject|contains:
  - \Control\Terminal Server\
  - \Windows NT\Terminal Services\
  TargetObject|endswith: \Shadow
selection_tamper_only:
  TargetObject|contains:
  - \Control\Terminal Server\InitialProgram
  - \Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram
  - \services\TermService\Parameters\ServiceDll
  - \Terminal Server\WinStations\RDP-Tcp\SecurityLayer
  - \Windows NT\Terminal Services\InitialProgram
selection_terminal_services_key:
  Details: DWORD (0x00000001)
  TargetObject|contains:
  - \Control\Terminal Server\
  - \Windows NT\Terminal Services\
  TargetObject|endswith:
  - \DisableRemoteDesktopAntiAlias
  - \DisableSecuritySettings
  - \fAllowUnsolicited
  - \fAllowUnsolicitedFullControl