security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge PR #5725 from @Koifman - RDP Enable or Disable via Win32_TerminalServiceSetting WMI Class

Browse Source 
new: RDP Enable or Disable via Win32_TerminalServiceSetting WMI Class
---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
Co-authored-by: swachchhanda000 <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
This commit is contained in:
Koifman
2025-11-21 11:26:45 +02:00
committed by GitHub
parent 4ac67452f1
commit 1da888c779
2 changed files with 47 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/proc_creation_win_rdp_enable_or_disable_via_win32_terminalservicesetting_wmi_class.yml
+45
View File
@@ -0,0 +1,45 @@
title: RDP Enable or Disable via Win32_TerminalServiceSetting WMI Class
id: 4b8f6d3a-9c5e-4f2a-a7d8-6b9c3e5f2a8d
related:
- id: a2863fbc-d5cb-48d5-83fb-d976d4b1743b
type: similar
status: experimental
description: |
Detects enabling or disabling of Remote Desktop Protocol (RDP) using alternate methods such as WMIC or PowerShell.
In PowerShell one-liner commands, the "SetAllowTSConnections" method of the "Win32_TerminalServiceSetting" class may be used to enable or disable RDP.
In WMIC, the "rdtoggle" alias or "Win32_TerminalServiceSetting" class may be used for the same purpose.
references:
- https://www.trendmicro.com/en_gb/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html
- https://github.com/HackTricks-wiki/hacktricks/blob/72f20a3fa26775b932bd819f1824c6377802a768/src/windows-hardening/basic-cmd-for-pentesters.md#firewall
- https://github.com/Lifailon/RSA/blob/rsa/Sources/RSA-1.4.1.ps1#L1468
author: Daniel Koifman (KoifSec), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-15
tags:
- attack.lateral-movement
- attack.t1021.001
- attack.execution
- attack.t1047
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\wmic.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'wmic.exe'
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli_method:
CommandLine|contains:
- 'rdtoggle'
- 'Win32_TerminalServiceSetting'
selection_cli_property:
CommandLine|contains: 'SetAllowTSConnections'
condition: all of selection_*
falsepositives:
- Legitimate system administrators enabling RDP for remote support
- System configuration scripts during deployment
level: medium
rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml
+2
View File
@@ -3,6 +3,8 @@ id: a2863fbc-d5cb-48d5-83fb-d976d4b1743b
related:
- id: 3f6b7b62-61aa-45db-96bd-9c31b36b653c
type: similar
- id: 4b8f6d3a-9c5e-4f2a-a7d8-6b9c3e5f2a8d
type: similar
status: test
description: |
Detects tampering of RDP Terminal Service/Server sensitive settings.