Potential MSTSC Shadowing Activity

Feb 5, 2023 · attack.lateral_movement attack.t1563.002 ·

Detects RDP session hijacking by using MSTSC shadowing

Sigma rule (View on GitHub)

 1title: Potential MSTSC Shadowing Activity
 2id: 6ba5a05f-b095-4f0a-8654-b825f4f16334
 3status: test
 4description: Detects RDP session hijacking by using MSTSC shadowing
 5references:
 6    - https://twitter.com/kmkz_security/status/1220694202301976576
 7    - https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet
 8author: Florian Roth (Nextron Systems)
 9date: 2020/01/24
10modified: 2023/02/05
11tags:
12    - attack.lateral_movement
13    - attack.t1563.002
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        CommandLine|contains|all:
20            - 'noconsentprompt'
21            - 'shadow:'
22    condition: selection
23falsepositives:
24    - Unknown
25level: high

References

Something went wrong, but don’t fret — let’s give it another shot.

Read More
Pentesting/Post-Exploitation-Cheat-Sheet at 47592e5e160d3b86c2024f09ef04ceb87d204995 · kmkz/Pentesting

Tricks for penetration testing. Contribute to kmkz/Pentesting development by creating an account on GitHub.

Read More

Potential MSTSC Shadowing Activity

Sigma rule (View on GitHub)

References

Pentesting/Post-Exploitation-Cheat-Sheet at 47592e5e160d3b86c2024f09ef04ceb87d204995 · kmkz/Pentesting

Related rules