Potential Remote Desktop Shadowing Activity
This rule detects potential Remote Desktop Shadowing activity by identifying modifications to the RDP Shadow registry or the execution of processes indicative of an active RDP shadowing session that allows adversaries to spy on or control other user's RDP sessions.
Remote Desktop Shadowing is a feature intended for legitimate administrative purposes, allowing administrators to view or control active RDP sessions for support and troubleshooting. However, adversaries can abuse this feature to monitor or hijack user sessions without consent, leading to unauthorized access and data compromise. This activity is detected by monitoring for modifications to the RDP Shadow registry settings and the execution of specific processes linked to shadowing, such as "RdpSaUacHelper.exe", "RdpSaProxy.exe", and "mstsc.exe" with the "/shadow:*" argument. The rule identifies suspicious modifications to RDP Shadow registry settings, specifically changes in "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Shadow", and the execution of associated processes by "svchost.exe". This activity can originate from internal or external actors and has been observed in various attacks aimed at lateral movement and data theft. Defenders should prioritize detection and prevention of RDP shadowing to prevent unauthorized access and session hijacking.
Attack Chain
- The attacker gains initial access to the target system through compromised credentials or other means.
- The attacker modifies the RDP Shadow registry key
HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Shadowto enable shadowing. This may involve setting the value to "1", "2", "3", or "4". - The attacker uses
svchost.exeto launchRdpSaUacHelper.exeorRdpSaProxy.exeto initiate the shadowing session. - Alternatively, the attacker directly executes
mstsc.exewith the/shadow:<session ID>argument to target a specific RDP session. - The compromised host connects to the target RDP session, allowing the attacker to view or control the user's session.
- The attacker monitors the user's activity, captures sensitive information, or performs malicious actions within the compromised session.
- The attacker may use the compromised session to move laterally to other systems on the network.
Impact
Successful RDP shadowing allows an attacker to gain unauthorized access to sensitive information displayed on the user's screen. This can include credentials, financial data, or proprietary information. The attacker can also control the user's session, potentially leading to data theft, system compromise, or further lateral movement within the network. This can result in significant financial losses, reputational damage, and legal liabilities. The number of affected users depends on the scope of the attack and the number of RDP sessions targeted.
Recommendation
- Monitor registry modifications to
HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Shadowusing a registry monitoring tool and deploy the "RDP Shadow Registry Modification" Sigma rule. - Alert on the execution of
RdpSaUacHelper.exeorRdpSaProxy.exespawned bysvchost.exeusing the "RDP Shadow Process Execution" Sigma rule. - Monitor for the execution of
mstsc.exewith the/shadowargument using the "RDP Shadow MSTSC Execution" Sigma rule. - Review and harden RDP access policies, including multi-factor authentication and limiting RDP access to only necessary users and systems.
- Implement enhanced monitoring and logging for RDP activities across the network.
Detection coverage 3
RDP Shadow Registry Modification
highDetects modifications to the RDP Shadow registry key, indicating potential unauthorized RDP shadowing activity.
RDP Shadow Process Execution
highDetects the execution of RdpSaUacHelper.exe or RdpSaProxy.exe by svchost.exe, which is indicative of RDP shadowing activity.
RDP Shadow MSTSC Execution
highDetects the execution of mstsc.exe with the /shadow argument, indicating an attempt to shadow an RDP session.
Detection queries are available on the platform. Get full rules →