From 5c50c4409de2fe83c9ccdc6a3a2b99e9ade5bcee Mon Sep 17 00:00:00 2001 From: CyberBilly7 <91810178+CyberBilly7@users.noreply.github.com> Date: Sat, 27 Apr 2024 12:44:00 -0500 Subject: [PATCH] Adding T1112 Test 69 (#2748) * Update T1112.yaml * Update T1112.yaml --------- Co-authored-by: Carrie Roberts --- atomics/T1112/T1112.yaml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/atomics/T1112/T1112.yaml b/atomics/T1112/T1112.yaml index d3694a69..2661be35 100644 --- a/atomics/T1112/T1112.yaml +++ b/atomics/T1112/T1112.yaml @@ -1069,3 +1069,20 @@ atomic_tests: cleanup_command: | reg delete "HKCU\Software\Microsoft\Terminal Server Client" /v AuthenticationLevelOverride name: command_prompt +- name: Enable RDP via Registry (fDenyTSConnections) + description: | + Modify the registry value of fDenyTSConnections to allow incoming RDP connections. + This activity has been observed by multiple ransomware groups, including Hive ransomware. + [Reference](https://www.rapid7.com/blog/post/2023/01/11/increasing-the-sting-of-hive-ransomware/) + supported_platforms: + - windows + input_arguments: + remove_rdp_access_during_cleanup: + description: Set to 1 if you want the cleanup to remove RDP access to machine + type: integer + default: "0" + executor: + command: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f + cleanup_command: 'if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1)' + name: command_prompt + elevation_required: true