Find sigma rule 
Attack: Remote Service Session Hijacking: RDP Hijacking
Adversaries may hijack a legitimate user’s remote desktop session to move laterally within an environment. Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services)
Adversaries may perform RDP session hijacking which involves stealing a legitimate user’s remote session. Typically, a user is notified when someone else is trying to steal their session. With System permissions and using Terminal Services Console, c:\windows\system32\tscon.exe [session number to be stolen], an adversary can hijack a session without the need for credentials or prompts to the user.(Citation: RDP Hijacking Korznikov) This can be done remotely or locally and with active or disconnected sessions.(Citation: RDP Hijacking Medium) It can also lead to Remote System Discovery and Privilege Escalation by stealing a Domain Admin or higher privileged account session. All of this can be done by using native Windows commands, but it has also been added as a feature in red teaming tools.(Citation: Kali Redsnarf)
MITRE
Tactic
- lateral-movement
technique
- T1563.002
Test : RDP hijacking
OS
- windows
Description:
RDP hijacking - how to hijack RDS and RemoteApp sessions transparently to move through an organization
Executor
command_prompt
Sigma Rule
-
proc_creation_win_susp_local_system_owner_account_discovery.yml (id: 502b42de-4306-40b4-9596-6f590c81f073)
-
proc_creation_win_net_execution.yml (id: 183e7ea8-ac4b-4c23-9aec-b3dac4e401ac)
-
proc_creation_win_net_start_service.yml (id: 2a072a96-a086-49fa-bcb5-15cc5a619093)
-
proc_creation_win_susp_abusing_debug_privilege.yml (id: d522eca2-2973-4391-a3e0-ef0374321dae)
-
proc_creation_win_tscon_localsystem.yml (id: 9847f263-4a81-424f-970c-875dab15b79b)