SigmaHQ/rules/windows/sysmon/sysmon_tsclient_filewrite_startup.yml
Sven Scharmentke 4ed512011a All Rules use 'TargetFilename' instead of 'TargetFileName'.
This commit fixes the incorrect spelling.
2020-06-03 09:00:59 +02:00

19 lines
537 B
YAML

title: Hijack Legit RDP Session to Move Laterally
id: 52753ea4-b3a0-4365-910d-36cff487b789
status: experimental
description: Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder
date: 2019/02/21
author: Samir Bousseaden
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 11
Image: '*\mstsc.exe'
TargetFilename: '*\Microsoft\Windows\Start Menu\Programs\Startup\\*'
condition: selection
falsepositives:
- unknown
level: high