Techniques
Sample rules
RDP Sensitive Settings Changed
- source: sigma
- technicques:
- t1112
Description
Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the ‘fAllowUnsolicited’ or enabling RDP via ‘fDenyTSConnections’…etc
Detection logic
condition: selection_shadow or selection_terminal_services_key or selection_tamper_only
selection_shadow:
Details:
- DWORD (0x00000001)
- DWORD (0x00000002)
- DWORD (0x00000003)
- DWORD (0x00000004)
TargetObject|contains:
- \Control\Terminal Server\
- \Windows NT\Terminal Services\
TargetObject|endswith: \Shadow
selection_tamper_only:
TargetObject|contains:
- \Control\Terminal Server\InitialProgram
- \Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram
- \services\TermService\Parameters\ServiceDll
- \Windows NT\Terminal Services\InitialProgram
selection_terminal_services_key:
Details: DWORD (0x00000001)
TargetObject|contains:
- \Control\Terminal Server\
- \Windows NT\Terminal Services\
TargetObject|endswith:
- \DisableRemoteDesktopAntiAlias
- \DisableSecuritySettings
- \fAllowUnsolicited
- \fAllowUnsolicitedFullControl
RDP Sensitive Settings Changed to Zero
- source: sigma
- technicques:
- t1112
Description
Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the ‘fAllowUnsolicited’ or enabling RDP via ‘fDenyTSConnections’, etc.
Detection logic
condition: selection
selection:
Details: DWORD (0x00000000)
TargetObject|endswith:
- \fDenyTSConnections
- \fSingleSessionPerUser
- \UserAuthentication