Potential RDP Session Hijacking Activity

Nov 2, 2023 · attack.execution ·

Detects potential RDP Session Hijacking activity on Windows systems

Sigma rule (View on GitHub)

 1title: Potential RDP Session Hijacking Activity
 2id: 224f140f-3553-4cd1-af78-13d81bf9f7cc
 3status: test
 4description: Detects potential RDP Session Hijacking activity on Windows systems
 5references:
 6    - https://twitter.com/Moti_B/status/909449115477659651
 7author: '@juju4'
 8date: 2022/12/27
 9tags:
10    - attack.execution
11logsource:
12    category: process_creation
13    product: windows
14detection:
15    selection_img:
16        - Image|endswith: '\tscon.exe'
17        - OriginalFileName: 'tscon.exe'
18    selection_integrity:
19        IntegrityLevel: SYSTEM
20    condition: all of selection_*
21falsepositives:
22    - Administrative activity
23level: medium

References

Something went wrong, but don’t fret — let’s give it another shot.

Read More

Related rules

AADInternals PowerShell Cmdlets Execution - ProccessCreation
AADInternals PowerShell Cmdlets Execution - PsScript
Change PowerShell Policies to an Insecure Level - PowerShell
ImagingDevices Unusual Parent/Child Processes
Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell