SigmaHQ/rules/windows/sysmon/sysmon_rdp_settings_hijack.yml

title: RDP Sensitive Settings Changed
description: Detects changes to RDP terminal service sensitive settings
references:
    - https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html
date: 2019/04/03
author: Samir Bousseaden
logsource:
   product: windows
   service: sysmon
detection:
    selection_reg:
        EventID: 13 
        TargetObject: 
            - '*\services\TermService\Parameters\ServiceDll*'
            - '*\Control\Terminal Server\fSingleSessionPerUser*'
            - '*\Control\Terminal Server\fDenyTSConnections*'
    condition: selection_reg
tags:
    - attack.defense_evasion
falsepositives:
    - unknown
level: high
Create sysmon_rdp_settings_hijack.yml 2019-04-03 12:16:25 +00:00			`title: RDP Sensitive Settings Changed`
			`description: Detects changes to RDP terminal service sensitive settings`
			`references:`
			`- https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html`
			`date: 2019/04/03`
			`author: Samir Bousseaden`
			`logsource:`
			`product: windows`
			`service: sysmon`
			`detection:`
			`selection_reg:`
			`EventID: 13`
			`TargetObject:`
			`- '\services\TermService\Parameters\ServiceDll'`
			`- '\Control\Terminal Server\fSingleSessionPerUser'`
			`- '\Control\Terminal Server\fDenyTSConnections'`
			`condition: selection_reg`
			`tags:`
			`- attack.defense_evasion`
			`falsepositives:`
			`- unknown`
			`level: high`