CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
5da0f5e322de5996e616563f73d6da3be4e10bc3
hayabusa/rules/sigma/process_creation/win_susp_tscon_localsystem.yml
itiB 83d891b2fa Feature/rm submodule (#312) 
* rm: submodule

* Add: rules

* Fix: hayabusa-rules to c9c10a
2021-12-20 21:14:32 +09:00

33 lines
925 B
YAML
Raw Blame History

title: Suspicious TSCON Start as SYSTEM
ruletype: Sigma
author: Florian Roth
date: 2018/03/17
description: Detects a tscon.exe start as LOCAL SYSTEM
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
User:
- NT AUTHORITY\SYSTEM*
- AUTORITE NT\Sys*
SELECTION_3:
Image: '*\tscon.exe'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unknown
id: 9847f263-4a81-424f-970c-875dab15b79b
level: high
logsource:
category: process_creation
product: windows
modified: 2021/11/29
references:
- http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
- https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
- https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement
status: experimental
tags:
- attack.command_and_control
- attack.t1219
Reference in New Issue View Git Blame Copy Permalink