Skip to content

Hide Navigation Hide TOC

RDP Enable or Disable via Win32_TerminalServiceSetting WMI Class (4b8f6d3a-9c5e-4f2a-a7d8-6b9c3e5f2a8d)

Detects enabling or disabling of Remote Desktop Protocol (RDP) using alternate methods such as WMIC or PowerShell. In PowerShell one-liner commands, the "SetAllowTSConnections" method of the "Win32_TerminalServiceSetting" class may be used to enable or disable RDP. In WMIC, the "rdtoggle" alias or "Win32_TerminalServiceSetting" class may be used for the same purpose.

Cluster A Galaxy A Cluster B Galaxy B Level
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern RDP Enable or Disable via Win32_TerminalServiceSetting WMI Class (4b8f6d3a-9c5e-4f2a-a7d8-6b9c3e5f2a8d) Sigma-Rules 1
RDP Enable or Disable via Win32_TerminalServiceSetting WMI Class (4b8f6d3a-9c5e-4f2a-a7d8-6b9c3e5f2a8d) Sigma-Rules Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern 1
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2