From 5f0589b78799d4e2b59b51bb7c7dd04b19ae7cb7 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Fri, 24 Jan 2020 16:18:19 +0100
Subject: [PATCH] rule: mstsc shadowing

---
 .../win_rdp_hijack_shadowing.yml              | 21 +++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 rules/windows/process_creation/win_rdp_hijack_shadowing.yml

diff --git a/rules/windows/process_creation/win_rdp_hijack_shadowing.yml b/rules/windows/process_creation/win_rdp_hijack_shadowing.yml
new file mode 100644
index 000000000..f08c5f3f2
--- /dev/null
+++ b/rules/windows/process_creation/win_rdp_hijack_shadowing.yml
@@ -0,0 +1,21 @@
+title: MSTSC Shadowing
+id: 6ba5a05f-b095-4f0a-8654-b825f4f16334
+status: Detects RDP session hijacking by using MSTSC shadowing
+description: 
+author: Florian Roth
+date: 2020/01/24
+references:
+    - https://twitter.com/kmkz_security/status/1220694202301976576
+    - https://github.com/kmkz/Pentesting/blob/master/Post-Exploitation-Cheat-Sheet
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains|all: 
+            - 'noconsentprompt'
+            - 'shadow:'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high