Remote Desktop Protocol Hijack¶
Identifies possible Remote Desktop Protocol session hijacking
| id: | 46ff4da0-2f55-4023-8de3-1709fbd33f1d |
|---|---|
| categories: | hunt |
| confidence: | low |
| os: | windows |
| created: | 7/26/2019 |
| updated: | 7/26/2019 |
MITRE ATT&CK™ Mapping¶
| tactics: | Lateral Movement |
|---|---|
| techniques: | T1076 Remote Desktop Protocol |
Query¶
process where subtype.create and
process_name == "tscon.exe" and command_line == "* *"