From ffa60f2d036f0a736e26cd7b8b820343df611ef9 Mon Sep 17 00:00:00 2001
From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Date: Mon, 28 Aug 2023 08:05:21 -0300
Subject: [PATCH] [New Rule] Network-Level Authentication (NLA) Disabled
 (#3039)

* [New Rule] Network-Level Authentication (NLA) Disabled

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
---
 .../defense_evasion_disable_nla.toml          | 54 +++++++++++++++++++
 1 file changed, 54 insertions(+)
 create mode 100644 rules_building_block/defense_evasion_disable_nla.toml

diff --git a/rules_building_block/defense_evasion_disable_nla.toml b/rules_building_block/defense_evasion_disable_nla.toml
new file mode 100644
index 000000000..2ac70df49
--- /dev/null
+++ b/rules_building_block/defense_evasion_disable_nla.toml
@@ -0,0 +1,54 @@
+[metadata]
+creation_date = "2023/08/25"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/08/25"
+bypass_bbr_timing = true
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the attempt to disable Network-Level Authentication (NLA) via registry modification. Network Level Authentication (NLA) is a feature on Windows
+that provides an extra layer of security for Remote Desktop (RDP) connections, as it requires users to authenticate
+before allowing a full RDP session. Attackers can disable NLA to enable persistence methods that require access to the
+Windows sign-in screen without authenticating, such as Accessibility Features persistence methods, like Sticky Keys.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*", "endgame-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Network-Level Authentication (NLA) Disabled"
+references = [
+    "https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/",
+]
+risk_score = 21
+rule_id = "db65f5ba-d1ef-4944-b9e8-7e51060c2b42"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Rule Type: BBR"]
+timestamp_override = "event.ingested"
+building_block_type = "default"
+type = "eql"
+
+query = '''
+registry where host.os.type == "windows" and event.action != "deletion" and
+  registry.path :
+       ("HKLM\\SYSTEM\\ControlSet*\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication", 
+        "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication" ) and
+  registry.data.strings : "0"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1112"
+name = "Modify Registry"
+reference = "https://attack.mitre.org/techniques/T1112/"
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"