← Back to Explore
sigmahighHunting
Terminal Server Client Connection History Cleared - Registry
Detects the deletion of registry keys containing the MSTSC connection history
Detection Query
selection1:
EventType: DeleteValue
TargetObject|contains: \Microsoft\Terminal Server Client\Default\MRU
selection2:
EventType: DeleteKey
TargetObject|contains: \Microsoft\Terminal Server Client\Servers\
condition: 1 of selection*
Author
Christian Burkard (Nextron Systems)
Created
2021-10-19
Data Sources
windowsRegistry Delete Events
Platforms
windows
References
Tags
attack.persistenceattack.defense-evasionattack.t1070attack.t1112
Raw Content
title: Terminal Server Client Connection History Cleared - Registry
id: 07bdd2f5-9c58-4f38-aec8-e101bb79ef8d
status: test
description: Detects the deletion of registry keys containing the MSTSC connection history
references:
- https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer
- http://woshub.com/how-to-clear-rdp-connections-history/
- https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html
author: Christian Burkard (Nextron Systems)
date: 2021-10-19
modified: 2023-02-08
tags:
- attack.persistence
- attack.defense-evasion
- attack.t1070
- attack.t1112
logsource:
category: registry_delete
product: windows
detection:
selection1:
EventType: DeleteValue
TargetObject|contains: '\Microsoft\Terminal Server Client\Default\MRU'
selection2:
EventType: DeleteKey
TargetObject|contains: '\Microsoft\Terminal Server Client\Servers\'
condition: 1 of selection*
falsepositives:
- Unknown
level: high