Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- title: Hijack legit RDP session to move laterally
- status: experimental
- description: Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder
- date: 2019/02/21
- author: Samir Bousseaden
- logsource:
- product: windows
- service: sysmon
- detection:
- selection:
- EventID: 11
- Image: '*\mstsc.exe'
- TargetFileName: '*\Microsoft\Windows\Start Menu\Programs\Startup\*'
- condition: selection
- falsepositives:
- - unknown
- level: high
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement