From 7e96efb030736d0921c7c85d7d8f49a39ac0cc97 Mon Sep 17 00:00:00 2001
From: "@" <@>
Date: Sun, 27 Sep 2020 09:32:55 -0500
Subject: [PATCH] T1563.002 RDP Hijack

---
 LateralMovement.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/LateralMovement.md b/LateralMovement.md
index 0c7377b..5f5d89f 100644
--- a/LateralMovement.md
+++ b/LateralMovement.md
@@ -11,6 +11,12 @@ Atomics: [T1550.003](https://github.com/redcanaryco/atomic-red-team/blob/master/
 ### T1563.002 RDP Hijacking
 Atomics: [T1563.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md)
 
+Detects RDS and RemoteApp session redirections for lateral movement.
+
+```
+SrcProcName = "tscon.exe" AND SrcProcCmdLine ContainsCIS "/dest:"
+```
+
 
 ### T1021.001 Remote Desktop Protocol
 Atomics: [T1021.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md)