SigmaHQ/rules/windows/registry_event/sysmon_rdp_settings_hijack.yml

title: RDP Sensitive Settings Changed
id: 171b67e1-74b4-460e-8d55-b331f3e32d67
description: Detects changes to RDP terminal service sensitive settings
references:
    - https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html
date: 2019/04/03
modified: 2020/09/06
author: Samir Bousseaden
logsource:
    category: registry_event
    product: windows
detection:
    selection_reg:
        TargetObject|contains:
            - '\services\TermService\Parameters\ServiceDll'
            - '\Control\Terminal Server\fSingleSessionPerUser'
            - '\Control\Terminal Server\fDenyTSConnections'
    condition: selection_reg
tags:
    - attack.defense_evasion
    - attack.t1112
falsepositives:
    - unknown
level: high
Added rules files split into folders 2020-06-10 14:32:30 +00:00			`title: RDP Sensitive Settings Changed`
			`id: 171b67e1-74b4-460e-8d55-b331f3e32d67`
			`description: Detects changes to RDP terminal service sensitive settings`
			`references:`
			`- https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html`
			`date: 2019/04/03`
att&ck tags review: windows/registry_event 2020-09-06 19:08:27 +00:00			`modified: 2020/09/06`
Added rules files split into folders 2020-06-10 14:32:30 +00:00			`author: Samir Bousseaden`
			`logsource:`
			`category: registry_event`
			`product: windows`
			`detection:`
			`selection_reg:`
Update sysmon_rdp_settings_hijack.yml 2020-10-15 23:04:57 +00:00			`TargetObject\|contains:`
			`- '\services\TermService\Parameters\ServiceDll'`
			`- '\Control\Terminal Server\fSingleSessionPerUser'`
			`- '\Control\Terminal Server\fDenyTSConnections'`
Added rules files split into folders 2020-06-10 14:32:30 +00:00			`condition: selection_reg`
			`tags:`
			`- attack.defense_evasion`
att&ck tags review: windows/registry_event 2020-09-06 19:08:27 +00:00			`- attack.t1112`
Added rules files split into folders 2020-06-10 14:32:30 +00:00			`falsepositives:`
			`- unknown`
			`level: high`