From a2b309404b46f3dfe2e6147e697d44a654722e87 Mon Sep 17 00:00:00 2001
From: Vasiliy Burov <vasebur@gmail.com>
Date: Wed, 27 Feb 2019 17:52:20 +0300
Subject: [PATCH] Create win_rdp_session_hijacking.yml

Adversaries may perform RDP session hijacking which involves stealing a legitimate user's remote session. Typically, a user is notified when someone else is trying to steal their session and prompted with a question. With System permissions and using Terminal Services Console, c:\windows\system32\tscon.exe [session number to be stolen], an adversary can hijack a session without the need for credentials or prompts to the user. This can be done remotely or locally and with active or disconnected sessions. It can also lead to Remote System Discovery and Privilege Escalation by stealing a Domain Admin or higher privileged account session.
---
 .../builtin/win_rdp_session_hijacking.yml     | 23 +++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 rules/windows/builtin/win_rdp_session_hijacking.yml

diff --git a/rules/windows/builtin/win_rdp_session_hijacking.yml b/rules/windows/builtin/win_rdp_session_hijacking.yml
new file mode 100644
index 000000000..0ea0829cc
--- /dev/null
+++ b/rules/windows/builtin/win_rdp_session_hijacking.yml
@@ -0,0 +1,23 @@
+title: RDP Session Hijacking detected
+description: Adversaries may perform RDP session hijacking which involves stealing a legitimate user's remote session.
+references:
+    - http://blog.gentilkiwi.com/securite/vol-de-session-rdp
+    - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
+date: 2019/02/27
+modified: 2019/02/27
+tags:
+    - attack.lateral_movement
+status: experimental
+author: vburov
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID: 4688
+        NewProcessName: "*\tscon.exe"
+        SecurityID: "System"
+    condition: selection
+falsepositives:
+    - Unknown
+level: high