Sigma rules for CVE-2008-1767
14 rules · scoped to cve · back to CVE-2008-1767
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: User Added to Remote Desktop Users Group
id: ffa28e60-bdb1-46e0-9f82-05f7a61cc06e
related:
- id: ad720b90-25ad-43ff-9b5e-5c841facc8e5 # Admin groups
type: similar
- id: 10fb649c-3600-4d37-b1e6-56ea90bb7e09 # Privileged groups
type: similar
status: test
description: Detects addition of users to the local Remote Desktop Users group via "Net" or "Add-LocalGroupMember".
references:
- https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/
author: Florian Roth (Nextron Systems)
date: 2021-12-06
modified: 2022-09-09
tags:
- attack.initial-access
- attack.persistence
- attack.lateral-movement
- attack.t1133
- attack.t1136.001
- attack.t1021.001
logsource:
category: process_creation
product: windows
detection:
selection_main:
- CommandLine|contains|all:
- 'localgroup '
- ' /add'
- CommandLine|contains|all:
- 'Add-LocalGroupMember '
- ' -Group '
selection_group:
CommandLine|contains:
- 'Remote Desktop Users'
- 'Utilisateurs du Bureau à distance' # French for "Remote Desktop Users"
- 'Usuarios de escritorio remoto' # Spanish for "Remote Desktop Users"
condition: all of selection_*
falsepositives:
- Administrative activity
level: high
title: Ngrok Usage with Remote Desktop Service
id: 64d51a51-32a6-49f0-9f3d-17e34d640272
status: test
description: Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour
references:
- https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg
- https://ngrok.com/
author: Florian Roth (Nextron Systems)
date: 2022-04-29
tags:
- attack.command-and-control
- attack.t1090
logsource:
product: windows
service: terminalservices-localsessionmanager
detection:
selection:
EventID: 21
Address|contains: '16777216'
condition: selection
falsepositives:
- Unknown
level: high
title: Installation of TeamViewer Desktop
id: 9711de76-5d4f-4c50-a94f-21e4e8f8384d
status: test
description: TeamViewer_Desktop.exe is create during install
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-1---teamviewer-files-detected-test-on-windows
author: frack113
date: 2022-01-28
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith: '\TeamViewer_Desktop.exe'
condition: selection
falsepositives:
- Unknown
level: medium
title: Desktop.INI Created by Uncommon Process
id: 81315b50-6b60-4d8f-9928-3466e1022515
status: test
description: Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
references:
- https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/
author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)
date: 2020-03-19
modified: 2025-12-09
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.009
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith: '\desktop.ini'
filter_main_generic:
Image|startswith:
- 'C:\Windows\'
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
filter_main_upgrade:
TargetFilename|startswith: 'C:\$WINDOWS.~BT\NewOS\'
filter_optional_jetbrains:
Image|startswith: 'C:\Users\'
Image|endswith: '\AppData\Local\JetBrains\Toolbox\bin\7z.exe'
TargetFilename|contains: '\JetBrains\apps\'
filter_optional_onedrive:
Image|startswith: 'C:\Users\'
Image|contains: '\AppData\Local\Microsoft\OneDrive\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Operations performed through Windows SCCM or equivalent
- Read only access list authority
level: medium
title: Potential Remote Desktop Tunneling
id: 8a3038e8-9c9d-46f8-b184-66234a160f6f
status: test
description: Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.
references:
- https://www.elastic.co/guide/en/security/current/potential-remote-desktop-tunneling-detected.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-27
tags:
- attack.lateral-movement
- attack.t1021
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: ':3389' # RDP port and usual SSH tunneling related switches in command line
selection_opt:
CommandLine|contains:
- ' -L '
- ' -P '
- ' -R '
- ' -pw '
- ' -ssh '
condition: all of selection*
falsepositives:
- Unknown
level: medium
title: New Remote Desktop Connection Initiated Via Mstsc.EXE
id: 954f0af7-62dd-418f-b3df-a84bc2c7a774
status: test
description: |
Detects the usage of "mstsc.exe" with the "/v" flag to initiate a connection to a remote server.
Adversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc
author: frack113
date: 2022-01-07
modified: 2024-06-04
tags:
- attack.lateral-movement
- attack.t1021.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\mstsc.exe'
- OriginalFileName: 'mstsc.exe'
selection_cli:
CommandLine|contains|windash: ' /v:'
filter_optional_wsl:
# Example: mstsc.exe /v:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX /hvsocketserviceid:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX /silent /wslg /plugin:WSLDVC /wslgsharedmemorypath:WSL\XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX\wslg C:\ProgramData\Microsoft\WSL\wslg.rdp
ParentImage: 'C:\Windows\System32\lxss\wslhost.exe'
CommandLine|contains: 'C:\ProgramData\Microsoft\WSL\wslg.rdp'
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- WSL (Windows Sub System For Linux)
level: medium
title: Potentially Suspicious Desktop Background Change Using Reg.EXE
id: 8cbc9475-8d05-4e27-9c32-df960716c701
related:
- id: 85b88e05-dadc-430b-8a9e-53ff1cd30aae
type: similar
status: test
description: |
Detects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background.
This is a common technique used by malware to change the desktop background to a ransom note or other image.
references:
- https://www.attackiq.com/2023/09/20/emulating-rhysida/
- https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/
- https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html
- https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI
author: Stephen Lincoln @slincoln-aiq (AttackIQ)
date: 2023-12-21
tags:
- attack.persistence
- attack.impact
- attack.defense-impairment
- attack.t1112
- attack.t1491.001
logsource:
product: windows
category: process_creation
detection:
# TODO: Improve this to also focus on variation using PowerShell and other CLI tools
selection_reg_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_reg_flag:
CommandLine|contains: 'add'
selection_keys:
CommandLine|contains:
- 'Control Panel\Desktop'
- 'CurrentVersion\Policies\ActiveDesktop'
- 'CurrentVersion\Policies\System'
selection_cli_reg_1:
CommandLine|contains|all:
- '/v NoChangingWallpaper'
- '/d 1' # Prevent changing desktop background
selection_cli_reg_2:
CommandLine|contains|all:
- '/v Wallpaper'
- '/t REG_SZ'
selection_cli_reg_3:
CommandLine|contains|all:
- '/v WallpaperStyle'
- '/d 2' # Stretch
condition: all of selection_reg_* and selection_keys and 1 of selection_cli_reg_*
falsepositives:
- Administrative scripts that change the desktop background to a company logo or other image.
level: medium
title: Windows Network Access Suspicious desktop.ini Action
id: 35bc7e28-ee6b-492f-ab04-da58fcf6402e
status: test
description: Detects unusual processes accessing desktop.ini remotely over network share, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
references:
- https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/
author: Tim Shelton (HAWK.IO)
date: 2021-12-06
modified: 2022-01-16
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.009
logsource:
product: windows
service: security
detection:
selection:
EventID: 5145
ObjectType: File
RelativeTargetName|endswith: '\desktop.ini'
AccessList|contains:
- 'WriteData'
- 'DELETE'
- 'WriteDAC'
- 'AppendData'
- 'AddSubdirectory'
condition: selection
falsepositives:
- Read only access list authority
level: medium
title: File Access Of Signal Desktop Sensitive Data
id: 5d6c375a-18ae-4952-b4f6-8b803f6c8555
status: experimental
description: |
Detects access to Signal Desktop's sensitive data files: db.sqlite and config.json.
The db.sqlite file in Signal Desktop stores all locally saved messages in an encrypted SQLite database, while the config.json contains the decryption key needed to access that data.
Since the key is stored in plain text, a threat actor who gains access to both files can decrypt and read sensitive messages without needing the users credentials.
Currently the rule only covers the default Signal installation path in AppData\Roaming. Signal Portable installations may use different paths based on user configuration. Additional paths can be added to the selection as needed.
references:
- https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger/
- https://vmois.dev/query-signal-desktop-messages-sqlite/
author: Andreas Braathen (mnemonic.io)
date: 2025-10-19
tags:
- attack.credential-access
- attack.t1003
logsource:
product: windows
service: security
definition: 'Requirements: System Access Control List (SACL) policy with attributes List folder/read data on Objects'
detection:
selection:
EventID: 4663
ObjectType: 'File'
ObjectName|contains: '\AppData\Roaming\Signal\'
ObjectName|endswith:
- '\config.json'
- '\db.sqlite'
filter_main_signal:
ProcessName|endswith:
- '\signal-portable.exe'
- '\signal.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely, but possible from AV or backup software accessing the files.
level: medium
title: Denied Access To Remote Desktop
id: 8e5c03fa-b7f0-11ea-b242-07e0576828d9
status: test
description: |
This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.
Often, this event can be generated by attackers when searching for available windows servers in the network.
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825
author: Pushkarev Dmitry
date: 2020-06-27
modified: 2021-11-27
tags:
- attack.lateral-movement
- attack.t1021.001
logsource:
product: windows
service: security
detection:
selection:
EventID: 4825
condition: selection
falsepositives:
- Valid user was not added to RDP group
level: medium
title: Potential Remote Desktop Connection to Non-Domain Host
id: ce5678bb-b9aa-4fb5-be4b-e57f686256ad
status: test
description: Detects logons using NTLM to hosts that are potentially not part of the domain.
references:
- n/a
author: James Pemberton
date: 2020-05-22
modified: 2021-11-27
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
product: windows
service: ntlm
definition: Requires events from Microsoft-Windows-NTLM/Operational
detection:
selection:
EventID: 8001
TargetName|startswith: 'TERMSRV'
condition: selection
falsepositives:
- Host connections to valid domains, exclude these.
- Host connections not using host FQDN.
- Host connections to external legitimate domains.
level: medium
title: UAC Secure Desktop Prompt Disabled
id: 0d7ceeef-3539-4392-8953-3dc664912714
related:
- id: c5f6a85d-b647-40f7-bbad-c10b66bab038
type: similar
- id: 48437c39-9e5f-47fb-af95-3d663c3f2919
type: similar
status: test
description: |
Detects when an attacker tries to change User Account Control (UAC) elevation request destination via the "PromptOnSecureDesktop" value.
The "PromptOnSecureDesktop" setting specifically determines whether UAC prompts are displayed on the secure desktop. The secure desktop is a separate desktop environment that's isolated from other processes running on the system. It's designed to prevent malicious software from intercepting or tampering with UAC prompts.
When "PromptOnSecureDesktop" is set to 0, UAC prompts are displayed on the user's current desktop instead of the secure desktop. This reduces the level of security because it potentially exposes the prompts to manipulation by malicious software.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md
author: frack113
date: 2024-05-10
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unknown
level: medium
title: Potentially Suspicious Desktop Background Change Via Registry
id: 85b88e05-dadc-430b-8a9e-53ff1cd30aae
related:
- id: 8cbc9475-8d05-4e27-9c32-df960716c701
type: similar
status: test
description: |
Detects registry value settings that would replace the user's desktop background.
This is a common technique used by malware to change the desktop background to a ransom note or other image.
references:
- https://www.attackiq.com/2023/09/20/emulating-rhysida/
- https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/
- https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html
- https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI
author: Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ)
date: 2023-12-21
modified: 2025-10-17
tags:
- attack.persistence
- attack.impact
- attack.defense-impairment
- attack.t1112
- attack.t1491.001
logsource:
product: windows
category: registry_set
detection:
selection_keys:
TargetObject|contains:
- 'Control Panel\Desktop'
- 'CurrentVersion\Policies\ActiveDesktop'
- 'CurrentVersion\Policies\System'
selection_values_1:
TargetObject|endswith: 'NoChangingWallpaper'
Details: 'DWORD (0x00000001)' # Prevent changing desktop background
selection_values_2:
TargetObject|endswith: '\Wallpaper'
selection_values_3:
TargetObject|endswith: '\WallpaperStyle'
Details: '2' # Stretch
filter_main_svchost:
# Note: Excluding GPO changes
Image|endswith: '\svchost.exe'
filter_main_empty:
TargetObject|endswith: '\Control Panel\Desktop\Wallpaper'
Details: '(Empty)'
filter_main_explorer:
# Normally Explorer.exe is the process that changes the desktop background
Image|endswith: 'C:\Windows\Explorer.EXE'
filter_optional_ec2launch:
Image:
- 'C:\Program Files\Amazon\EC2Launch\EC2Launch.exe'
- 'C:\Program Files (x86)\Amazon\EC2Launch\EC2Launch.exe'
TargetObject|endswith: '\Control Panel\Desktop\Wallpaper'
condition: selection_keys and 1 of selection_values_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Administrative scripts that change the desktop background to a company logo or other image.
level: medium
title: Replace Desktop Wallpaper by Powershell
id: c5ac6a1e-9407-45f5-a0ce-ca9a0806a287
status: test
description: |
An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users.
This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1491.001/T1491.001.md
author: frack113
date: 2021-12-26
tags:
- attack.impact
- attack.t1491.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_1:
ScriptBlockText|contains|all:
- 'Get-ItemProperty'
- 'Registry::'
- 'HKEY_CURRENT_USER\Control Panel\Desktop\'
- 'WallPaper'
selection_2:
ScriptBlockText|contains: SystemParametersInfo(20,0,*,3)
condition: 1 of selection_*
falsepositives:
- Unknown
level: low