Winlogon AllowMultipleTSSessions Enable (f7997770-92c3-4ec9-b112-774c4ef96f96)
Detects when the 'AllowMultipleTSSessions' value is enabled. Which allows for multiple Remote Desktop connection sessions to be opened at once. This is often used by attacker as a way to connect to an RDP session without disconnecting the other users
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Winlogon AllowMultipleTSSessions Enable (f7997770-92c3-4ec9-b112-774c4ef96f96) | Sigma-Rules | Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) | Attack Pattern | 1 |