sigmamediumHunting

Winlogon AllowMultipleTSSessions Enable

Detects when the 'AllowMultipleTSSessions' value is enabled. Which allows for multiple Remote Desktop connection sessions to be opened at once. This is often used by attacker as a way to connect to an RDP session without disconnecting the other users

MITRE ATT&CK

T1112

persistencedefense-evasion

Detection Query

selection:
  TargetObject|endswith: \Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions
  Details|endswith: DWORD (0x00000001)
condition: selection

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2022-09-09

Data Sources

windowsRegistry Set Events

Platforms

windows

References

http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html

Tags

attack.persistenceattack.defense-evasionattack.t1112

Raw Content

title: Winlogon AllowMultipleTSSessions Enable
id: f7997770-92c3-4ec9-b112-774c4ef96f96
status: test
description: |
  Detects when the 'AllowMultipleTSSessions' value is enabled.
  Which allows for multiple Remote Desktop connection sessions to be opened at once.
  This is often used by attacker as a way to connect to an RDP session without disconnecting the other users
references:
    - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-09
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.defense-evasion
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions'
        Details|endswith: DWORD (0x00000001)
    condition: selection
falsepositives:
    - Legitimate use of the multi session functionality
level: medium