SigmaHQ/wazuh/rules/sigma_sysmon_rdp_settings_hijack.yml

alert:
- debug
description: Detects changes to RDP terminal service sensitive settings
filter:
- query:
    query_string:
      query: data.win.eventdata.targetObject.keyword:(*\\services\\TermService\\Parameters\\ServiceDll* OR *\\Control\\Terminal\ Server\\fSingleSessionPerUser* OR *\\Control\\Terminal\ Server\\fDenyTSConnections*)
index: wazuh-alerts-3.x-*
name: 171b67e1-74b4-460e-8d55-b331f3e32d67_0
priority: 2
realert:
  minutes: 0
type: any
123 2020-12-02 22:43:30 +00:00			`alert:`
			`- debug`
			`description: Detects changes to RDP terminal service sensitive settings`
			`filter:`
			`- query:`
			`query_string:`
			`query: data.win.eventdata.targetObject.keyword:(\\services\\TermService\\Parameters\\ServiceDll OR \\Control\\Terminal\ Server\\fSingleSessionPerUser OR \\Control\\Terminal\ Server\\fDenyTSConnections)`
			`index: wazuh-alerts-3.x-*`
			`name: 171b67e1-74b4-460e-8d55-b331f3e32d67_0`
			`priority: 2`
			`realert:`
			`minutes: 0`
			`type: any`