hayabusa/rules/sigma/registry_event/sysmon_rdp_settings_hijack.yml

title: RDP Sensitive Settings Changed
author: Samir Bousseaden
date: 2019/04/03
description: Detects changes to RDP terminal service sensitive settings
detection:
  SELECTION_1:
    EventID: 12
  SELECTION_2:
    EventID: 13
  SELECTION_3:
    EventID: 14
  SELECTION_4:
    TargetObject:
    - '*\services\TermService\Parameters\ServiceDll*'
    - '*\Control\Terminal Server\fSingleSessionPerUser*'
    - '*\Control\Terminal Server\fDenyTSConnections*'
  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
falsepositives:
- unknown
id: 171b67e1-74b4-460e-8d55-b331f3e32d67
level: high
logsource:
  category: registry_event
  product: windows
modified: 2020/09/06
references:
- https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html
status: experimental
tags:
- attack.defense_evasion
- attack.t1112
ruletype: SIGMA