Portfolio
Cybersecurity Services
Securing your digital journey with resilient, adaptive cyber defense.

E2E Zero Trust Solutions

Replacing implicit trust with continuous, identity-centric security.

Securing AI & Post Quantum Cybersecurity

Enabling next-gen security for AI innovation and quantum resilience.

Hyperscalers Security

Securing your cloud-native infrastructure at hyperscale speed and precision.

Managed Security Services

DDoS Threat Exposure Management

Continuous Threat Exposure Management (CTEM)

Digital Forensics and Incident Response

Cyber Trust Advisory

Offensive Cybersecurity

Project Management

Professional Services

24 X 7 Support

End-to-end cybersecurity. Built for today’s threats.

Cloud Security

SecOps

OT & IoT Security

Identity Fabric Immunity

Data Security & Privacy

Application Security

Endpoint Security

Network Security

Malware Analysis

Secure Access Service Edge (SASE)

Eliminating implicit trust across your digital estate.

Microsoft Security Services

Google Cloud Security Services

AWS Security Services

Cloud-native security designed for hyperscale environments.
About
Our Story

Mission & Vision

Principles

Leadership
Resources

Blog Post

Stay updated with our latest news, press releases, & more.

Media

Insights and analysis on the latest trends & technologies.

Videos

Watch & learn from our insightful video gallery

Threat Advisories

Critical updates and alerts on emerging threats.

Reports & Whitepapers

In-depth research and analysis on key cybersecurity topics.

Service Briefs

Comprehensive guides and technical documents.

Case studies

Real-world examples of our solutions in action across industries.
Events
Trust Center
Partners
Careers

Blog

OilRig Abuses RemoteApp Settings to Enable Stealthy Execution

By helpag

Threat Actor: OilRig(APT34)
Target Sector: Government & Critical Infrastructure (Middle East)

Summary

Help AG’s CTI and DFIR teams recently observed Iranian-linked threat actor OilRig employing a lesser-known but effective method to maintain persistence and bypass application whitelisting controls in enterprise environments. The technique revolves around abusing Windows RemoteApp configuration via the Registry.

Using PowerShell, the actor executed:

Set-ItemProperty “HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\TSAppAllowList” -Name fDisabledAllowList -Value 1

This command disables RemoteApp’s application allow list, effectively allowing any application to run as a RemoteApp—turning a legitimate remote access tool into a stealthy backdoor.

How It Works

RemoteApp is part of Microsoft’s Remote Desktop Services (RDS), used to publish and restrict access to specific applications for remote users. By default, only explicitly allowed applications can be launched.

But with fDisabledAllowList = 1, attackers remove that restriction. This opens the door to arbitrary executable launches under the guise of sanctioned remote activity—evading both host-based defenses and user behavior analytics.

By creating .rdp session and editing it, Windows allows to specify “remoteapplicationprogram:” and then add the path of application to run remotely.

Why RemoteApp?

Covert Execution: Applications launched via RemoteApp blend into RDS traffic—no unusual parent-child relationships or visible pop-ups.
Bypass App Whitelisting: Circumvents controls like AppLocker or Software Restriction Policies tied to RDS.
Persistence & Lateral Movement: Maintains long-term access via RemoteApp even after other footholds are burned.

Recommendations

Enforce strict Group Policy to manage RemoteApp behavior
Lock down registry permissions on TSAppAllowList
Monitor for suspicious RemoteApp-related PowerShell activity
Correlate RDS usage with process tree anomalies and lateral movement trails
Restrict PowerShell access using Constrained Language Mode in sensitive environments

MITRE ATT&CK Mappings

ID	*Technique*	*Observed* Behavior
*T1112*	Modify Registry	Disabled fDisabledAllowList to bypass RemoteApp restrictions
*T1021.001*	Remote Services: RDP	Leveraged RDS to maintain access