Potential MSTSC Shadowing Activity
Detects RDP session hijacking by using MSTSC shadowing
Sigma rule (View on GitHub)
1title: Potential MSTSC Shadowing Activity
2id: 6ba5a05f-b095-4f0a-8654-b825f4f16334
3status: test
4description: Detects RDP session hijacking by using MSTSC shadowing
5references:
6 - https://twitter.com/kmkz_security/status/1220694202301976576
7 - https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet
8author: Florian Roth (Nextron Systems)
9date: 2020/01/24
10modified: 2023/02/05
11tags:
12 - attack.lateral_movement
13 - attack.t1563.002
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 CommandLine|contains|all:
20 - 'noconsentprompt'
21 - 'shadow:'
22 condition: selection
23falsepositives:
24 - Unknown
25level: high
References
Related rules
- Suspicious Plink Port Forwarding
- CobaltStrike Service Installations - Security
- Mimikatz Use
- Enable Windows Remote Management
- Execute Invoke-command on Remote Host