Query Details

Rdp Enable By Modifying Registry Key

Query

let rdpcommands = dynamic([@"fDenyTSConnections", @"REG_DWORD /d 0"]);
DeviceProcessEvents
| where FileName has @"reg.exe"
| where ProcessCommandLine has_all (rdpcommands)
| project DeviceId, DeviceName, ProcessCommandLine, Start = Timestamp
| join kind = inner (DeviceRegistryEvents
| where RegistryKey == @"HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server"
| where RegistryValueName == @"fDenyTSConnections"
| where ActionType == @"RegistryValueSet"
| where RegistryValueData == @"0"
| where InitiatingProcessFileName == @"reg.exe"
| project DeviceId, End = Timestamp)
on DeviceId
| where (End - Start) between (0min .. 1min)
| project Start, DeviceId, DeviceName, ProcessCommandLine

About this query

RDP enable by modifying registry key

Description

Attackers can attempt to enable RDP, including leveraging multiple living-off-the-land tools. Once RDP is enabled, it allows the attackers to use any number of dual-use tools that leverage the RDP protocol. The following query will hunt for an attempt to enable RDP by simply modifying a registry key.

References

Microsoft Defender XDR

MITRE ATT&CK Mapping

Source

  • Microsoft Defender for Endpoint

Versioning

VersionDateComments
1.026/04/2024Initial publish

Explanation

This query looks for attempts to enable RDP by modifying a specific registry key. It checks for the use of reg.exe and specific commands in the process command line. If a match is found, it retrieves information about the device and the process. This helps in detecting potential attackers trying to enable RDP for malicious purposes.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: April 26, 2024

Tables

DeviceProcessEvents DeviceRegistryEvents

Keywords

DeviceRegistryEventsDeviceProcessEventsFileNameProcessCommandLineDeviceIdDeviceNameStartTimestampRegistryKeyRegistryValueNameActionTypeRegistryValueDataInitiatingProcessFileNameEndRegistryValueSetreg.exefDenyTSConnectionsREG_DWORDHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server00min1minModify RegistryDefense EvasionT1112Microsoft Defender for Endpoint

Operators

hashas_allprojectjoinwherekindbetweendynamicTimestampinneronmin

MITRE Techniques

Actions

GitHub