Create win_rdp_session_hijacking.yml
Adversaries may perform RDP session hijacking which involves stealing a legitimate user's remote session. Typically, a user is notified when someone else is trying to steal their session and prompted with a question. With System permissions and using Terminal Services Console, c:\windows\system32\tscon.exe [session number to be stolen], an adversary can hijack a session without the need for credentials or prompts to the user. This can be done remotely or locally and with active or disconnected sessions. It can also lead to Remote System Discovery and Privilege Escalation by stealing a Domain Admin or higher privileged account session.
This commit is contained in:
Vasiliy Burov
@@ -0,0 +1,23 @@
|
||||
title: RDP Session Hijacking detected
|
||||
description: Adversaries may perform RDP session hijacking which involves stealing a legitimate user's remote session.
|
||||
references:
|
||||
- http://blog.gentilkiwi.com/securite/vol-de-session-rdp
|
||||
- http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
|
||||
date: 2019/02/27
|
||||
modified: 2019/02/27
|
||||
tags:
|
||||
- attack.lateral_movement
|
||||
status: experimental
|
||||
author: vburov
|
||||
logsource:
|
||||
product: windows
|
||||
service: security
|
||||
detection:
|
||||
selection:
|
||||
EventID: 4688
|
||||
NewProcessName: "*\tscon.exe"
|
||||
SecurityID: "System"
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: high
|
||||
Reference in New Issue
Block a user