--- title: Potential RemoteMonologue Attack description: Identifies attempt to perform session hijack via COM object registry modification by setting the RunAs value to Interactive User. Rule type: eql Rule... url: https://www.elastic.co/elastic/docs-builder/docs/3016/reference/security/prebuilt-rules/rules/windows/defense_evasion_regmod_remotemonologue products: - Elastic Security --- # Potential RemoteMonologue Attack Identifies attempt to perform session hijack via COM object registry modification by setting the RunAs value to Interactive User. **Rule type**: eql **Rule indices**: - logs-endpoint.events.registry-* - endgame-* - logs-m365_defender.event-* - logs-sentinel_one_cloud_funnel.* - logs-windows.sysmon_operational-* **Rule Severity**: medium **Risk Score**: 47 **Runs every**: **Searches indices from**: `now-9m` **Maximum alerts per execution**: 100 **References**: - [[https://www.ibm.com/think/x-force/remotemonologue-weaponizing-dcom-ntlm-authentication-coercions#1](https://www.ibm.com/think/x-force/remotemonologue-weaponizing-dcom-ntlm-authentication-coercions#1)](https://www.ibm.com/think/x-force/remotemonologue-weaponizing-dcom-ntlm-authentication-coercions#1) - [[https://github.com/xforcered/RemoteMonologue](https://github.com/xforcered/RemoteMonologue)](https://github.com/xforcered/RemoteMonologue) **Tags**: - Domain: Endpoint - OS: Windows - Use Case: Threat Detection - Tactic: Defense Evasion - Data Source: Elastic Defend - Data Source: Elastic Endgame - Data Source: Microsoft Defender for Endpoint - Data Source: SentinelOne - Data Source: Sysmon - Resources: Investigation Guide **Version**: 4 **Rule authors**: - Elastic **Rule license**: Elastic License v2 ## Investigation guide ## Triage and analysis ### Investigating Potential RemoteMonologue Attack ### Possible investigation steps - Review the registry event logs to confirm the modification of the RunAs value in the specified registry paths, ensuring the change was not part of a legitimate administrative action. - Identify the user account and process responsible for the registry modification by examining the event logs for associated user and process information. - Check for any recent remote authentication attempts or sessions on the affected host to determine if this activity is associated with lateral movement or not. - Investigate the timeline of the registry change to correlate with any other suspicious activities or alerts on the host, such as the execution of unusual processes or network connections. ### False positive analysis - Software updates or installations that modify COM settings. - Automated scripts or management tools that adjust COM configurations. ### Response and remediation - Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary. - Modify the registry value back to its secure state, ensuring that "RunAs" value is not set to "Interactive User". - Conduct a thorough review of recent user activity and system logs to identify any unauthorized access or changes made during the period NLA was disabled. - Reset passwords for all accounts that have accessed the affected system to mitigate potential credential compromise. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring on the affected system and similar endpoints to detect any further attempts to disable NLA or other suspicious activities. ## Rule Query ```eql registry where host.os.type == "windows" and event.action != "deletion" and registry.value == "RunAs" and registry.data.strings : "Interactive User" and not ( ( process.executable : ( "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.*\\MsMpEng.exe", "C:\\Program Files\\Windows Defender\\MsMpEng.exe" ) and registry.path : "*\\SOFTWARE\\Classes\\AppID\\{1111A26D-EF95-4A45-9F55-21E52ADF9887}\\RunAs" ) or ( process.executable : ( "C:\\Program Files\\TeamViewer\\TeamViewer.exe", "C:\\Program Files (x86)\\TeamViewer\\TeamViewer.exe" ) and registry.path : "*\\SOFTWARE\\Classes\\AppID\\{850A928D-5456-4865-BBE5-42635F1EBCA1}\\RunAs" ) or ( process.executable : "C:\\Windows\\System32\\svchost.exe" and registry.path : "*\\S-1-*Classes\\AppID\\{D3E34B21-9D75-101A-8C3D-00AA001A1652}\\RunAs" ) or ( process.executable : "C:\\Windows\\System32\\SecurityHealthService.exe" and registry.path : ( "*\\SOFTWARE\\Classes\\AppID\\{1D278EEF-5C38-4F2A-8C7D-D5C13B662567}\\RunAs", "*\\SOFTWARE\\Classes\\AppID\\{7E55A26D-EF95-4A45-9F55-21E52ADF9878}\\RunAs" ) ) or ( process.executable : "C:\\Windows\\System32\\SecurityHealthService.exe" and registry.path : ( "*\\SOFTWARE\\Classes\\AppID\\{1D278EEF-5C38-4F2A-8C7D-D5C13B662567}\\RunAs", "*\\SOFTWARE\\Classes\\AppID\\{7E55A26D-EF95-4A45-9F55-21E52ADF9878}\\RunAs" ) ) or registry.path : ( "HKLM\\SOFTWARE\\Microsoft\\Office\\ClickToRun\\VREGISTRY_*", "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Office\\ClickToRun\\VREGISTRY_*" ) or (process.executable : "C:\\windows\\System32\\msiexec.exe" and ?user.id : "S-1-5-18") ) ``` **Framework:** MITRE ATT&CK - Tactic: - Name: Defense Evasion - Id: TA0005 - Reference URL: [[https://attack.mitre.org/tactics/TA0005/](https://attack.mitre.org/tactics/TA0005/)](https://attack.mitre.org/tactics/TA0005/) - Technique: - Name: Modify Registry - Id: T1112 - Reference URL: [[https://attack.mitre.org/techniques/T1112/](https://attack.mitre.org/techniques/T1112/)](https://attack.mitre.org/techniques/T1112/) - Technique: - Name: Impair Defenses - Id: T1562 - Reference URL: [[https://attack.mitre.org/techniques/T1562/](https://attack.mitre.org/techniques/T1562/)](https://attack.mitre.org/techniques/T1562/) **Framework:** MITRE ATT&CK - Tactic: - Name: Persistence - Id: TA0003 - Reference URL: [[https://attack.mitre.org/tactics/TA0003/](https://attack.mitre.org/tactics/TA0003/)](https://attack.mitre.org/tactics/TA0003/) - Technique: - Name: Event Triggered Execution - Id: T1546 - Reference URL: [[https://attack.mitre.org/techniques/T1546/](https://attack.mitre.org/techniques/T1546/)](https://attack.mitre.org/techniques/T1546/) - Sub Technique: - Name: Component Object Model Hijacking - Id: T1546.015 - Reference URL: [[https://attack.mitre.org/techniques/T1546/015/](https://attack.mitre.org/techniques/T1546/015/)](https://attack.mitre.org/techniques/T1546/015/)