Remote Desktop Protocol Hijack¶

Identifies possible Remote Desktop Protocol session hijacking

id:	46ff4da0-2f55-4023-8de3-1709fbd33f1d
categories:	hunt
confidence:	low
os:	windows
created:	7/26/2019
updated:	7/26/2019

MITRE ATT&CK™ Mapping¶

tactics:	Lateral Movement
techniques:	T1076 Remote Desktop Protocol

Query¶

process where subtype.create and
  process_name == "tscon.exe" and command_line == "* *"

Contributors¶

Endgame

Read the Docs v: latest

Versions: latest

Downloads: pdf; html; epub

On Read the Docs: Project Home; Builds

Free document hosting provided by Read the Docs.