Potential RDP Session Hijacking Activity
Detects potential RDP Session Hijacking activity on Windows systems
Sigma rule (View on GitHub)
1title: Potential RDP Session Hijacking Activity
2id: 224f140f-3553-4cd1-af78-13d81bf9f7cc
3status: test
4description: Detects potential RDP Session Hijacking activity on Windows systems
5references:
6 - https://twitter.com/Moti_B/status/909449115477659651
7author: '@juju4'
8date: 2022-12-27
9modified: 2024-12-01
10tags:
11 - attack.execution
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection_img:
17 - Image|endswith: '\tscon.exe'
18 - OriginalFileName: 'tscon.exe'
19 selection_integrity:
20 IntegrityLevel:
21 - 'System'
22 - 'S-1-16-16384'
23 condition: all of selection_*
24falsepositives:
25 - Administrative activity
26level: medium
References
Related rules
- CMSTP UAC Bypass via COM Object Access
- UAC Bypass Using IDiagnostic Profile
- CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process
- Malicious PowerShell Commandlets - ProcessCreation
- Peach Sandstorm APT Process Activity Indicators