SigmaHQ/rules/windows/sysmon/sysmon_tsclient_filewrite_startup.yml
2019-04-03 13:19:59 +02:00

18 lines
497 B
YAML

title: Hijack legit RDP session to move laterally
status: experimental
description: Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder
date: 2019/02/21
author: Samir Bousseaden
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 11
Image: '*\mstsc.exe'
TargetFileName: '*\Microsoft\Windows\Start Menu\Programs\Startup\*'
condition: selection
falsepositives:
- unknown
level: high