Network-Level Authentication (NLA) Disabled via Registry Modification

Network Level Authentication (NLA) is a security feature in Windows that requires users to authenticate before establishing a full RDP session, adding an extra layer of protection against unauthorized access. Attackers might attempt to disable NLA to gain access to the Windows sign-in screen without proper authentication. This tactic can facilitate the deployment of persistence mechanisms, such as leveraging Accessibility Features like Sticky Keys, or enable unauthorized remote access. This brief addresses the registry modifications associated with disabling NLA and provides detection strategies to identify such attempts. The references indicate that this technique is used in conjunction with other attacks for lateral movement within a compromised network.

Attack Chain

1. Initial access to the system is gained (potentially via compromised credentials or vulnerability exploitation).
2. The attacker elevates privileges to modify system-level settings.
3. The attacker modifies the registry key HKLM\SYSTEM\ControlSet*\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication to disable NLA.
4. The UserAuthentication value is set to “0” or “0x00000000”.
5. The attacker attempts to establish an RDP connection to the compromised system.
6. Due to the disabled NLA, the attacker bypasses the initial authentication screen.
7. The attacker leverages accessibility features (e.g., Sticky Keys) for persistence or further exploitation.
8. The attacker gains unauthorized access to the system.

Impact

Successful disabling of NLA allows attackers to bypass authentication and gain unauthorized access to systems via RDP. This can lead to data theft, malware installation, or further lateral movement within the network. While the exact number of victims and sectors targeted are unspecified, the potential impact includes significant data breaches and system compromise.

Recommendation

• Enable Sysmon process-creation and registry event logging to detect the registry modifications (Elastic Defend, Elastic Endgame, Microsoft Defender XDR, SentinelOne, Sysmon).
• Deploy the Sigma rule provided to detect attempts to modify the UserAuthentication registry key (Sysmon Registry Events).
• Review and harden RDP configurations across the environment to prevent unauthorized access (Microsoft documentation).
• Monitor endpoint security policies to detect unauthorized registry modifications (Endpoint Security Policies).