From a2b309404b46f3dfe2e6147e697d44a654722e87 Mon Sep 17 00:00:00 2001
From: Vasiliy Burov <vasebur@gmail.com>
Date: Wed, 27 Feb 2019 17:52:20 +0300
Subject: [PATCH 1/2] Create win_rdp_session_hijacking.yml

Adversaries may perform RDP session hijacking which involves stealing a legitimate user's remote session. Typically, a user is notified when someone else is trying to steal their session and prompted with a question. With System permissions and using Terminal Services Console, c:\windows\system32\tscon.exe [session number to be stolen], an adversary can hijack a session without the need for credentials or prompts to the user. This can be done remotely or locally and with active or disconnected sessions. It can also lead to Remote System Discovery and Privilege Escalation by stealing a Domain Admin or higher privileged account session.
---
 .../builtin/win_rdp_session_hijacking.yml     | 23 +++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 rules/windows/builtin/win_rdp_session_hijacking.yml

diff --git a/rules/windows/builtin/win_rdp_session_hijacking.yml b/rules/windows/builtin/win_rdp_session_hijacking.yml
new file mode 100644
index 000000000..0ea0829cc
--- /dev/null
+++ b/rules/windows/builtin/win_rdp_session_hijacking.yml
@@ -0,0 +1,23 @@
+title: RDP Session Hijacking detected
+description: Adversaries may perform RDP session hijacking which involves stealing a legitimate user's remote session.
+references:
+    - http://blog.gentilkiwi.com/securite/vol-de-session-rdp
+    - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
+date: 2019/02/27
+modified: 2019/02/27
+tags:
+    - attack.lateral_movement
+status: experimental
+author: vburov
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID: 4688
+        NewProcessName: "*\tscon.exe"
+        SecurityID: "System"
+    condition: selection
+falsepositives:
+    - Unknown
+level: high

From 7efc704ccf4aa7663490b1ab26b1fe9c298d2054 Mon Sep 17 00:00:00 2001
From: Vasiliy Burov <vasebur@gmail.com>
Date: Wed, 27 Feb 2019 17:58:23 +0300
Subject: [PATCH 2/2] Update win_rdp_session_hijacking.yml

---
 rules/windows/builtin/win_rdp_session_hijacking.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rules/windows/builtin/win_rdp_session_hijacking.yml b/rules/windows/builtin/win_rdp_session_hijacking.yml
index 0ea0829cc..f50381960 100644
--- a/rules/windows/builtin/win_rdp_session_hijacking.yml
+++ b/rules/windows/builtin/win_rdp_session_hijacking.yml
@@ -12,6 +12,7 @@ author: vburov
 logsource:
     product: windows
     service: security
+definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
 detection:
     selection:
         EventID: 4688