security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
34ea706e4fe91c8a2c7ae11b953407e1dd67a319
blue-team-tools/rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml
T
Florian Roth f3fedef8f5 Changed category names and remove sysmon log source
2020-06-24 17:41:21 +02:00

18 lines
522 B
YAML
Executable File
Raw Blame History

title: Hijack Legit RDP Session to Move Laterally
id: 52753ea4-b3a0-4365-910d-36cff487b789
status: experimental
description: Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder
date: 2019/02/21
author: Samir Bousseaden
logsource:
product: windows
category: file_event
detection:
selection:
Image: '*\mstsc.exe'
TargetFileName: '*\Microsoft\Windows\Start Menu\Programs\Startup\\*'
condition: selection
falsepositives:
- unknown
level: high
Reference in New Issue View Git Blame Copy Permalink