valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
154181c6c8
SigmaHQ/rules/windows/registry_event/sysmon_rdp_registry_modification.yml

31 lines
1023 B
YAML
Raw Normal View History

Added rules files split into folders
2020-06-10 14:32:30 +00:00
title: RDP Registry Modification
id: 41904ebe-d56c-4904-b9ad-7a77bdf154b3
description: Detects potential malicious modification of the property value of fDenyTSConnections and UserAuthentication to enable remote desktop connections.
status: experimental
date: 2019/09/12
modified: 2019/11/10
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1112_Modify_Registry/enable_rdp_registry.md
tags:
- attack.defense_evasion
- attack.t1112
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|endswith:
- '\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication'
- '\CurrentControlSet\Control\Terminal Server\fDenyTSConnections'
Details: 'DWORD (0x00000000)'
condition: selection
fields:
- ComputerName
- Image
- EventType
- TargetObject
falsepositives:
- Unknown
level: high
Reference in New Issue Copy Permalink