/
windows_modify_registry_disableremotedesktopantialias.yml
62 lines (62 loc) · 2.7 KB
/
windows_modify_registry_disableremotedesktopantialias.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
name: Windows Modify Registry DisableRemoteDesktopAntiAlias
id: 4927c6f1-4667-42e6-bd7a-f5222116386b
version: 1
date: '2023-11-23'
author: Teoderick Contreras, Splunk
status: production
type: TTP
data_source:
- Sysmon EventID 12
- Sysmon EventID 13
description: The following analytic identifies a modification in the Windows registry to DisableRemoteDesktopAntiAlias.
This registry setting might be intended to manage or control anti-aliasing behavior (smoothing of edges and fonts) within Remote Desktop sessions.
DarkGate malware modify this registry as part of its malicious installation in a targeted host for its remote desktop capabilities.
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry
where Registry.registry_path = "*\\Terminal Services\\DisableRemoteDesktopAntiAlias" Registry.registry_value_data = 0x00000001
by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest
| `drop_dm_object_name(Registry)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_modify_registry_disableremotedesktopantialias_filter`'
how_to_implement: To successfully implement this search you need to be ingesting information
on process that include the name of the process responsible for the changes from
your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure
that this registry was included in your config files ex. sysmon config to be monitored.
known_false_positives: Administrators may enable or disable this feature that may
cause some false positive, however is not common. Filter as needed.
references:
- https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate
tags:
analytic_story:
- DarkGate Malware
asset_type: Endpoint
confidence: 70
impact: 70
message: the registry for remote desktop settings was modified to be DisableRemoteDesktopAntiAlias on $dest$.
mitre_attack_id:
- T1112
observable:
- name: dest
type: Endpoint
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
risk_score: 49
required_fields:
- _time
- Registry.registry_key_name
- Registry.registry_path
- Registry.user
- Registry.dest
- Registry.registry_value_name
- Registry.action
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/DisableRemoteDesktopAntiAlias/disable_remote_alias.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog