Potential RDP Session Hijacking Activity

Aug 12, 2024 · attack.execution ·

Detects potential RDP Session Hijacking activity on Windows systems

Sigma rule (View on GitHub)

 1title: Potential RDP Session Hijacking Activity
 2id: 224f140f-3553-4cd1-af78-13d81bf9f7cc
 3status: test
 4description: Detects potential RDP Session Hijacking activity on Windows systems
 5references:
 6    - https://twitter.com/Moti_B/status/909449115477659651
 7author: '@juju4'
 8date: 2022-12-27
 9tags:
10    - attack.execution
11logsource:
12    category: process_creation
13    product: windows
14detection:
15    selection_img:
16        - Image|endswith: '\tscon.exe'
17        - OriginalFileName: 'tscon.exe'
18    selection_integrity:
19        IntegrityLevel: SYSTEM
20    condition: all of selection_*
21falsepositives:
22    - Administrative activity
23level: medium

References

x.com

Read More

Related rules

AADInternals PowerShell Cmdlets Execution - ProccessCreation
AADInternals PowerShell Cmdlets Execution - PsScript
AMSI Bypass Pattern Assembly GetType
APT29 2018 Phishing Campaign CommandLine Indicators
AWS EC2 Startup Shell Script Change

Potential RDP Session Hijacking Activity

Sigma rule (View on GitHub)

References

x.com

Related rules