Skip to content

Hide Navigation Hide TOC

Potential Tampering With RDP Related Registry Keys Via Reg.EXE (0d5675be-bc88-4172-86d3-1e96a4476536)

Detects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values

Cluster A Galaxy A Cluster B Galaxy B Level
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern Potential Tampering With RDP Related Registry Keys Via Reg.EXE (0d5675be-bc88-4172-86d3-1e96a4476536) Sigma-Rules 1
Potential Tampering With RDP Related Registry Keys Via Reg.EXE (0d5675be-bc88-4172-86d3-1e96a4476536) Sigma-Rules Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 1
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 2