You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hello team, this is my first contribution so I hope I'm doing this correctly.
Based on my research here and the available project documentation, I would score the Windows one as 5K and the Sysmon one as 5U. If an attacker wants to enable RDP connections on a machine, he would have to change "fdenytsconnections" to 0 - I am not aware of any other method other than this.
Scored By
Daniel Koifman @KoifSec
The text was updated successfully, but these errors were encountered:
Analytic Name
Enabling RDP connections
Analytic Permalink
https://github.com/SigmaHQ/sigma/blob/1df3c343910bb708908efc6ce2784e1193819c58/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml#L9
Analytic Syntax
Sigma
Analytic Logsource
Windows Registry Set , Sysmon RegistryEvent
Detection Analytic
Event ID: 13
TargetObject|contains: 'fDenyTSConnections'
Details: 'DWORD (0x00000000)'
Event ID: 4657
ObjectName|contains: 'fDenyTSConnections'
NewValue: '0'
Additional Notes
Hello team, this is my first contribution so I hope I'm doing this correctly.
Based on my research here and the available project documentation, I would score the Windows one as 5K and the Sysmon one as 5U. If an attacker wants to enable RDP connections on a machine, he would have to change "fdenytsconnections" to 0 - I am not aware of any other method other than this.
Scored By
Daniel Koifman @KoifSec
The text was updated successfully, but these errors were encountered: