From ff51371575cca5ebaf2a68c3bdbf69f8705ec2fb Mon Sep 17 00:00:00 2001
From: Zeta <38060942+0xzeta@users.noreply.github.com>
Date: Tue, 28 Mar 2023 14:28:40 +0700
Subject: [PATCH] Update T1112

Added new technique "Enabling Remote Desktop Protocol via Remote Registry"
---
 atomics/T1112/T1112.yaml | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/atomics/T1112/T1112.yaml b/atomics/T1112/T1112.yaml
index 65cf5eb7..96007ed3 100644
--- a/atomics/T1112/T1112.yaml
+++ b/atomics/T1112/T1112.yaml
@@ -765,3 +765,16 @@ atomic_tests:
     cleanup_command: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Event Viewer" /v MicrosoftRedirectionProgram /t REG_EXPAND_SZ /f
     name: command_prompt
     elevation_required: true
+- name: Enabling Remote Desktop Protocol via Remote Registry
+  auto_generated_guid: e3ad8e83-3089-49ff-817f-e52f8c948090
+  description: |
+    Enabling RDP through remote registry.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp" /v SecurityLayer /t REG_DWORD /d 0 /f
+    cleanup_command: |
+      reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp" /v SecurityLayer /t REG_DWORD /d 2 /f
+    name: command_prompt
+    elevation_required: true