Adding T1112 Test 69 (#2748)

* Update T1112.yaml * Update T1112.yaml --------- Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
redcanaryco · Apr 27, 2024 · 5c50c44 · 5c50c44
1 parent cb602ba
commit 5c50c44
Showing 1 changed file with 17 additions and 0 deletions.
diff --git a/atomics/T1112/T1112.yaml b/atomics/T1112/T1112.yaml
@@ -1069,3 +1069,20 @@ atomic_tests:
     cleanup_command: |
        reg delete "HKCU\Software\Microsoft\Terminal Server Client" /v AuthenticationLevelOverride
     name: command_prompt
+- name: Enable RDP via Registry (fDenyTSConnections)
+  description: |
+    Modify the registry value of fDenyTSConnections to allow incoming RDP connections. 
+    This activity has been observed by multiple ransomware groups, including Hive ransomware. 
+    [Reference](https://www.rapid7.com/blog/post/2023/01/11/increasing-the-sting-of-hive-ransomware/)
+  supported_platforms:
+  - windows
+  input_arguments:
+    remove_rdp_access_during_cleanup:
+      description: Set to 1 if you want the cleanup to remove RDP access to machine
+      type: integer
+      default: "0"
+  executor:
+    command: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
+    cleanup_command: 'if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1)'
+    name: command_prompt
+    elevation_required: true