← Back to Explore
sigmahighHunting
Hijack Legit RDP Session to Move Laterally
Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder
Detection Query
selection:
Image|endswith: \mstsc.exe
TargetFilename|contains: \Microsoft\Windows\Start Menu\Programs\Startup\
condition: selection
Author
Samir Bousseaden
Created
2019-02-21
Data Sources
windowsFile Events
Platforms
windows
References
Tags
attack.command-and-controlattack.t1219.002
Raw Content
title: Hijack Legit RDP Session to Move Laterally
id: 52753ea4-b3a0-4365-910d-36cff487b789
status: test
description: Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder
author: Samir Bousseaden
references:
- Internal Research
date: 2019-02-21
modified: 2021-11-27
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: '\mstsc.exe'
TargetFilename|contains: '\Microsoft\Windows\Start Menu\Programs\Startup\'
condition: selection
falsepositives:
- Unlikely
level: high