/
windows_remote_services_allow_remote_assistance.yml
69 lines (69 loc) · 2.96 KB
/
windows_remote_services_allow_remote_assistance.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
name: Windows Remote Services Allow Remote Assistance
id: 9bce3a97-bc97-4e89-a1aa-ead151c82fbb
version: 1
date: '2022-06-21'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
description: The following analytic is to identify a modification in the Windows registry
to enable remote desktop assistance on a targeted machine. This technique was seen
in several adversaries, malware or red teamer like azorult to remotely access the
compromised or targeted host by enabling this protocol in registry. Even this protocol
might be allowed in some production environment, This Anomaly behavior is a good
pivot to check who and why the user want to enable this feature through registry
which is un-common. And as per stated in microsoft documentation the default value
of this registry is false that makes this a good indicator of suspicious behavior.
data_source:
- Sysmon EventID 12
- Sysmon EventID 13
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Control\\Terminal
Server\\fAllowToGetHelp*" Registry.registry_value_data="0x00000001" by Registry.registry_key_name
Registry.user Registry.registry_path Registry.registry_value_data Registry.action
Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` | `windows_remote_services_allow_remote_assistance_filter`'
how_to_implement: To successfully implement this search you need to be ingesting information
on process that include the name of the process responsible for the changes from
your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure
that this registry was included in your config files ex. sysmon config to be monitored.
known_false_positives: administrators may enable or disable this feature that may
cause some false positive.
references:
- https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-remoteassistance-exe-fallowtogethelp
- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/
tags:
analytic_story:
- Azorult
asset_type: Endpoint
confidence: 70
impact: 70
message: the registry for rdp protocol was modified to enable in $dest$
mitre_attack_id:
- T1021.001
- T1021
observable:
- name: dest
type: Endpoint
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Registry.registry_key_name
- Registry.registry_path
- Registry.user
- Registry.dest
- Registry.registry_value_name
- Registry.action
risk_score: 49
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
update_timestamp: true