Detectionhightest

Hijack Legit RDP Session to Move Laterally

Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Samir BousseadenCreated Thu Feb 21Updated Sat Nov 2752753ea4-b3a0-4365-910d-36cff487b789windows

Log Source

WindowsFile Event

ProductWindows← raw: windows

CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic

detection:
    selection:
        Image|endswith: '\mstsc.exe'
        TargetFilename|contains: '\Microsoft\Windows\Start Menu\Programs\Startup\'
    condition: selection

False Positives

Unlikely

False positives are unlikely for most environments. High confidence detection.

References

Resolving title…

Internal Research

MITRE ATT&CK

Tactics

TA0011 · Command and Control

Other

attack.t1219.002

Rule Metadata

Rule ID

52753ea4-b3a0-4365-910d-36cff487b789

Status

test

Level

high

Type

Detection

Created

Thu Feb 21

Modified

Sat Nov 27

Author

Samir Bousseaden

Path

rules/windows/file/file_event/file_event_win_tsclient_filewrite_startup.yml

Raw Tags

attack.command-and-controlattack.t1219.002

View on GitHub