security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
db54ea7467a6750fe2b59fc48375cf14ab3ca2cd
sigma-rules/rules/windows/lateral_movement_rdp_enabled_registry.toml
T
Jonhnathan 5b13666054 [Rule Tuning] Update threat mappings for Windows rules (#1497) 
* Windows Rules Att&ck Mapping review

* Bump updated_date and fix reference URLs

* Fix subtechnique

* Fix test errors

(cherry picked from commit 61afb1c1c0)
2021-09-23 17:09:43 +00:00

50 lines
1.4 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2020/11/25"
maturity = "production"
updated_date = "2021/09/23"
[rule]
author = ["Elastic"]
description = """
Identifies registry write modifications to enable Remote Desktop Protocol (RDP) access. This could be indicative of
adversary lateral movement preparation.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
language = "eql"
license = "Elastic License v2"
name = "RDP Enabled via Registry"
risk_score = 47
rule_id = "58aa72ca-d968-4f34-b9f7-bea51d75eb50"
severity = "medium"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
registry where
registry.path : "HKLM\\SYSTEM\\ControlSet*\\Control\\Terminal Server\\fDenyTSConnections" and
registry.data.strings == "0" and not (process.name : "svchost.exe" and user.domain == "NT AUTHORITY") and
not process.executable : "C:\\Windows\\System32\\SystemPropertiesRemote.exe"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1021"
name = "Remote Services"
reference = "https://attack.mitre.org/techniques/T1021/"
[[rule.threat.technique.subtechnique]]
id = "T1021.001"
name = "Remote Desktop Protocol"
reference = "https://attack.mitre.org/techniques/T1021/001/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
Reference in New Issue View Git Blame Copy Permalink