EnableLinkedConnections Registry Edit

About the rule

Rule Type

Standard

Rule Description

Detects the modification of the EnableLinkedConnections registry value. This configuration allows an administrator-level user to share network connections and mapped drives between their filtered (standard) and elevated tokens, which can be exploited by malware to gain access to network resources.

Why this rule?

While this setting has legitimate administrative uses, adversaries can enable it to access network resources with elevated privileges using mapped drives. This configuration change can facilitate lateral movement and data exfiltration. Monitoring this modification helps identify potential privilege abuse or preparation for network-based attacks.

Severity

Trouble

Rule journey

Attack chain scenario

Initial Access → Privilege Escalation → Registry Modification (EnableLinkedConnections) → Malware accessing administrative network shares using the user's elevated token.

Impact

Increased risk of malware spreading via network shares and unauthorized access to protected network resources from a standard user context.

Rule Requirement

Prerequisites

Enable Registry auditing for the path: HKEY_LOCAL_MACHINE\Microsoft\Windows\CurrentVersion\Policies\System.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Persistence: Modify Registry (T1112)

Future actions

Known False Positives

Legitimate configuration by IT administrators to fix issues where mapped drives are not visible in elevated command prompts or applications.

Next Steps

1. Identification: Verify if the registry change was pushed via an authorized Group Policy.
2. Analysis: Check if the user who made the change has a legitimate need to see mapped drives in elevated sessions.
3. Response: Revert the registry value if it does not conform to the organization's security baseline.

Mitigation