detection.wiki

Detection rules › Sigma

RDP Sensitive Settings Changed to Zero

Severity
medium
Author
Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali
Source
upstream

Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.

MITRE ATT&CK coverage

TacticTechniques
PersistenceT1112 Modify Registry
Defense EvasionT1112 Modify Registry

Event coverage

ProviderEvent IDTitle
Sysmon13RegistryEvent (Value Set)

Stages and Predicates

Stage 1: selection

or:
TargetObject|endswith: '\UserAuthentication'
TargetObject|endswith: '\fDenyTSConnections'
TargetObject|endswith: '\fSingleSessionPerUser'
Details: 'DWORD (0x00000000)'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Detailseq
  • DWORD (0x00000000) corpus 38 (sigma 38)
TargetObjectends_with
  • \UserAuthentication
  • \fDenyTSConnections
  • \fSingleSessionPerUser