Potential RemoteMonologue Attack

Status: production
Severity: medium
Time window: 9m
Author: Elastic
Source: github.com/elastic/detection-rules

Identifies attempt to perform session hijack via COM object registry modification by setting the RunAs value to Interactive User.

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1112` Modify Registry, `T1546.015` Event Triggered Execution: Component Object Model Hijacking
Stealth	`T1562` Impair Defenses

Event coverage

Provider	Event	Title
Sysmon	Event ID 12	RegistryEvent (Object create and delete)
Sysmon	Event ID 13	RegistryEvent (Value Set)
Sysmon	Event ID 14	RegistryEvent (Key and Value Rename)

Rule body elastic

[metadata]
creation_date = "2025/04/14"
integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"]
maturity = "production"
updated_date = "2026/05/04"

[rule]
author = ["Elastic"]
description = """
Identifies attempt to perform session hijack via COM object registry modification by setting the RunAs value to
Interactive User.
"""
from = "now-9m"
index = [
    "logs-endpoint.events.registry-*",
    "endgame-*",
    "logs-m365_defender.event-*",
    "logs-sentinel_one_cloud_funnel.*",
    "logs-windows.sysmon_operational-*",
]
language = "eql"
license = "Elastic License v2"
name = "Potential RemoteMonologue Attack"
note = """## Triage and analysis

### Investigating Potential RemoteMonologue Attack


### Possible investigation steps

- Review the registry event logs to confirm the modification of the RunAs value in the specified registry paths, ensuring the change was not part of a legitimate administrative action.
- Identify the user account and process responsible for the registry modification by examining the event logs for associated user and process information.
- Check for any recent remote authentication attempts or sessions on the affected host to determine if this activity is associated with lateral movement or not.
- Investigate the timeline of the registry change to correlate with any other suspicious activities or alerts on the host, such as the execution of unusual processes or network connections.

### False positive analysis

- Software updates or installations that modify COM settings.
- Automated scripts or management tools that adjust COM configurations.

### Response and remediation

- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.
- Modify the registry value back to its secure state, ensuring that "RunAs" value is not set to "Interactive User".
- Conduct a thorough review of recent user activity and system logs to identify any unauthorized access or changes made during the period NLA was disabled.
- Reset passwords for all accounts that have accessed the affected system to mitigate potential credential compromise.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
- Implement enhanced monitoring on the affected system and similar endpoints to detect any further attempts to disable NLA or other suspicious activities.
"""

setup = """## Setup

This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.

Setup instructions: https://ela.st/install-elastic-defend

### Additional data sources

This rule also supports the following third-party data sources. For setup instructions, refer to the links below:

- [Microsoft Defender XDR](https://ela.st/m365-defender)
- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
- [Sysmon Registry Events](https://ela.st/sysmon-event-reg-setup)
"""

references = [
    "https://www.ibm.com/think/x-force/remotemonologue-weaponizing-dcom-ntlm-authentication-coercions#1",
    "https://github.com/xforcered/RemoteMonologue",
]
risk_score = 47
rule_id = "c18975f5-676c-4091-b626-81e8938aa2ee"
severity = "medium"
tags = [
    "Domain: Endpoint",
    "OS: Windows",
    "Use Case: Threat Detection",
    "Tactic: Defense Evasion",
    "Data Source: Elastic Defend",
    "Data Source: Elastic Endgame",
    "Data Source: Microsoft Defender XDR",
    "Data Source: SentinelOne",
    "Data Source: Sysmon",
    "Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "eql"

query = '''
registry where host.os.type == "windows" and event.action != "deletion" and
  registry.value == "RunAs" and registry.data.strings : "Interactive User" and

  not 
  (
    (
      process.executable : (
        "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.*\\MsMpEng.exe",
        "C:\\Program Files\\Windows Defender\\MsMpEng.exe"
      ) and
      registry.path : "*\\SOFTWARE\\Classes\\AppID\\{1111A26D-EF95-4A45-9F55-21E52ADF9887}\\RunAs"
    ) or
    (
      process.executable : (
        "C:\\Program Files\\TeamViewer\\TeamViewer.exe",
        "C:\\Program Files (x86)\\TeamViewer\\TeamViewer.exe"
      ) and
      registry.path : "*\\SOFTWARE\\Classes\\AppID\\{850A928D-5456-4865-BBE5-42635F1EBCA1}\\RunAs"
    ) or
    (
      process.executable : "C:\\Windows\\System32\\svchost.exe" and
      registry.path : "*\\S-1-*Classes\\AppID\\{D3E34B21-9D75-101A-8C3D-00AA001A1652}\\RunAs"
    ) or
    (
      process.executable : "C:\\Windows\\System32\\SecurityHealthService.exe" and
      registry.path : (
        "*\\SOFTWARE\\Classes\\AppID\\{1D278EEF-5C38-4F2A-8C7D-D5C13B662567}\\RunAs",
        "*\\SOFTWARE\\Classes\\AppID\\{7E55A26D-EF95-4A45-9F55-21E52ADF9878}\\RunAs"
      )
    ) or
    (
      process.executable : "C:\\Windows\\System32\\SecurityHealthService.exe" and
      registry.path : (
        "*\\SOFTWARE\\Classes\\AppID\\{1D278EEF-5C38-4F2A-8C7D-D5C13B662567}\\RunAs",
        "*\\SOFTWARE\\Classes\\AppID\\{7E55A26D-EF95-4A45-9F55-21E52ADF9878}\\RunAs"
      )
    ) or
    registry.path : (
      "HKLM\\SOFTWARE\\Microsoft\\Office\\ClickToRun\\VREGISTRY_*",
      "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Office\\ClickToRun\\VREGISTRY_*"
    ) or
    (process.executable : "C:\\windows\\System32\\msiexec.exe" and ?user.id : "S-1-5-18")
  )
'''


[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1112"
name = "Modify Registry"
reference = "https://attack.mitre.org/techniques/T1112/"

[[rule.threat.technique]]
id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"

[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1546"
name = "Event Triggered Execution"
reference = "https://attack.mitre.org/techniques/T1546/"

[[rule.threat.technique.subtechnique]]
id = "T1546.015"
name = "Component Object Model Hijacking"
reference = "https://attack.mitre.org/techniques/T1546/015/"

[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"

Stages and Predicates

Stage 1: `registry`

registry where host.os.type == "windows" and event.action != "deletion" and
  registry.value == "RunAs" and registry.data.strings : "Interactive User" and

  not 
  (
    (
      process.executable : (
        "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.*\\MsMpEng.exe",
        "C:\\Program Files\\Windows Defender\\MsMpEng.exe"
      ) and
      registry.path : "*\\SOFTWARE\\Classes\\AppID\\{1111A26D-EF95-4A45-9F55-21E52ADF9887}\\RunAs"
    ) or
    (
      process.executable : (
        "C:\\Program Files\\TeamViewer\\TeamViewer.exe",
        "C:\\Program Files (x86)\\TeamViewer\\TeamViewer.exe"
      ) and
      registry.path : "*\\SOFTWARE\\Classes\\AppID\\{850A928D-5456-4865-BBE5-42635F1EBCA1}\\RunAs"
    ) or
    (
      process.executable : "C:\\Windows\\System32\\svchost.exe" and
      registry.path : "*\\S-1-*Classes\\AppID\\{D3E34B21-9D75-101A-8C3D-00AA001A1652}\\RunAs"
    ) or
    (
      process.executable : "C:\\Windows\\System32\\SecurityHealthService.exe" and
      registry.path : (
        "*\\SOFTWARE\\Classes\\AppID\\{1D278EEF-5C38-4F2A-8C7D-D5C13B662567}\\RunAs",
        "*\\SOFTWARE\\Classes\\AppID\\{7E55A26D-EF95-4A45-9F55-21E52ADF9878}\\RunAs"
      )
    ) or
    (
      process.executable : "C:\\Windows\\System32\\SecurityHealthService.exe" and
      registry.path : (
        "*\\SOFTWARE\\Classes\\AppID\\{1D278EEF-5C38-4F2A-8C7D-D5C13B662567}\\RunAs",
        "*\\SOFTWARE\\Classes\\AppID\\{7E55A26D-EF95-4A45-9F55-21E52ADF9878}\\RunAs"
      )
    ) or
    registry.path : (
      "HKLM\\SOFTWARE\\Microsoft\\Office\\ClickToRun\\VREGISTRY_*",
      "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Office\\ClickToRun\\VREGISTRY_*"
    ) or
    (process.executable : "C:\\windows\\System32\\msiexec.exe" and ?user.id : "S-1-5-18")
  )

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

Field	Kind	Excluded values
`process.executable`	eq	`C:\Program Files\TeamViewer\TeamViewer.exe`, `C:\Program Files (x86)\TeamViewer\TeamViewer.exe`
`registry.path`	ends_with	`\SOFTWARE\Classes\AppID\{850A928D-5456-4865-BBE5-42635F1EBCA1}\RunAs`
`process.executable`	eq	`C:\Windows\System32\SecurityHealthService.exe`
`registry.path`	ends_with	`\SOFTWARE\Classes\AppID\{1D278EEF-5C38-4F2A-8C7D-D5C13B662567}\RunAs`, `\SOFTWARE\Classes\AppID\{7E55A26D-EF95-4A45-9F55-21E52ADF9878}\RunAs`
`process.executable`	eq	`C:\Windows\System32\svchost.exe`
`registry.path`	wildcard	`\S-1-Classes\AppID\{D3E34B21-9D75-101A-8C3D-00AA001A1652}\RunAs`
`process.executable`	eq	`C:\windows\System32\msiexec.exe`
`user.id`	eq	`S-1-5-18`
`process.executable`	wildcard	`C:\ProgramData\Microsoft\Windows Defender\Platform\4.*\MsMpEng.exe`, `C:\Program Files\Windows Defender\MsMpEng.exe`
`registry.path`	ends_with	`\SOFTWARE\Classes\AppID\{1111A26D-EF95-4A45-9F55-21E52ADF9887}\RunAs`
`registry.path`	starts_with	`HKLM\SOFTWARE\Microsoft\Office\ClickToRun\VREGISTRY_`, `\REGISTRY\MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\VREGISTRY_`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`event.action`	ne	`deletion` corpus 11 (elastic 11)
`registry.data.strings`	wildcard	`Interactive User`
`registry.value`	eq	`RunAs`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Potential RemoteMonologue Attack

MITRE ATT&CK coverage

Event coverage

Rule body elastic

Stages and Predicates

Stage 1: `registry`

Exclusions

Indicators

Keyboard shortcuts

Search operators

Potential RemoteMonologue Attack

MITRE ATT&CK coverage

Event coverage

Rule body elastic

Stages and Predicates

Stage 1: registry

Exclusions

Indicators

Stage 1: `registry`