From b2fdf54024b9bf4159e32f434c8cbe0c0c57c434 Mon Sep 17 00:00:00 2001
From: Ming Di Leom <2809763-curben@users.noreply.gitlab.com>
Date: Sun, 15 Mar 2026 01:31:22 +0000
Subject: [PATCH] feat(threat-hunting): Remote Desktop Protocol (RDP) policy
 change

---
 source/threat-hunting/index.md             |  1 +
 source/threat-hunting/rdp-policy-change.md | 18 ++++++++++++++++++
 2 files changed, 19 insertions(+)
 create mode 100644 source/threat-hunting/rdp-policy-change.md

diff --git a/source/threat-hunting/index.md b/source/threat-hunting/index.md
index ff466bf..5b770cb 100644
--- a/source/threat-hunting/index.md
+++ b/source/threat-hunting/index.md
@@ -94,6 +94,7 @@ updated: 2025-12-02
 - [Reboot to safe mode](reboot-to-safe-mode)
 - [Regasm.exe execution](regasm-exe-execution)
 - [Regsvcs.exe process injection](regsvcs-exe-process-injection)
+- [Remote Desktop Protocol (RDP) policy change](rdp-policy-change)
 - [Remote Desktop tool installation/execution](remote-desktop-tool-installation-execution)
 - [Remote Desktop tool auto-start](remote-desktop-tool-auto-start)
 - [Remote Desktop tool scheduled task](remote-desktop-tool-scheduled-task)
diff --git a/source/threat-hunting/rdp-policy-change.md b/source/threat-hunting/rdp-policy-change.md
new file mode 100644
index 0000000..e6315ca
--- /dev/null
+++ b/source/threat-hunting/rdp-policy-change.md
@@ -0,0 +1,18 @@
+---
+title: Remote Desktop Protocol (RDP) policy change
+layout: page
+date: 2026-03-15
+---
+
+References: [1](https://thedfirreport.com/2026/02/23/apache-activemq-exploit-leads-to-lockbit-ransomware/#defense-evasion), [2](https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/rdp-error-general-troubleshooting), [3](https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/remotepc/change-listening-port)
+SPL:
+
+```spl
+| tstats summariesonly=true allow_old_summaries=true count FROM datamodel=Endpoint.Processes WHERE index="windows" Processes.signature_id=4688 Processes.process_name="reg.exe" Processes.process="*SYSTEM\\CurrentControlSet\\Control\\Terminal Server*" BY index, host, Processes.signature_id, Processes.signature, Processes.process, Processes.user, _time span=1s
+| rename Processes.* AS *, signature_id AS EventCode, signature AS EventDescription
+```
+
+```spl
+| tstats summariesonly=true allow_old_summaries=true fillnull_value="unknown" count FROM datamodel=Endpoint.Registry WHERE index="windows" Registry.registry_path="*SYSTEM\\CurrentControlSet\\Control\Terminal Server*" BY Registry.dest, Registry.registry_path, Registry.registry_value_name, Registry.registry_value_data, Registry.action, Registry.process_guid, Registry.process_id, Registry.user
+| rename Registry.* AS *
+```