Winlogon AllowMultipleTSSessions Enable

Hunt Hypothesis

Detects when the ‘AllowMultipleTSSessions’ value is enabled. Which allows for multiple Remote Desktop connection sessions to be opened at once. This is often used by attacker as a way to connect to an

Detection Rule

Sigma (Original)

title: Winlogon AllowMultipleTSSessions Enable
id: f7997770-92c3-4ec9-b112-774c4ef96f96
status: test
description: |
  Detects when the 'AllowMultipleTSSessions' value is enabled.
  Which allows for multiple Remote Desktop connection sessions to be opened at once.
  This is often used by attacker as a way to connect to an RDP session without disconnecting the other users
references:
    - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-09
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions'
        Details|endswith: DWORD (0x00000001)
    condition: selection
falsepositives:
    - Legitimate use of the multi session functionality
level: medium

KQL (Azure Sentinel)

imRegistry
| where RegistryKey endswith "\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\AllowMultipleTSSessions" and RegistryValueData endswith "DWORD (0x00000001)"

KQL (Microsoft 365 Defender)

DeviceRegistryEvents
| where RegistryKey endswith "\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\AllowMultipleTSSessions" and RegistryValueData endswith "DWORD (0x00000001)"

Required Data Sources

False Positive Guidance

• Legitimate use of the multi session functionality

MITRE ATT&CK Context

• Tactic: Persistence
• Technique: T1112 — T1112

References

• http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
• SigmaHQ Rule