Potential MSTSC Shadowing Activity

About the rule

Rule Type

Standard

Rule Description

This rule detects potential use of the MSTSC shadowing feature, which allows one user to remotely view or control another user's active session without their knowledge or consent. While this capability is sometimes used for legitimate administrative support, it can also be abused by attackers or malicious insiders to covertly spy on users, harvest credentials, or perform unauthorized actions under the guise of a legitimate session. Shadowing typically occurs in environments with Remote Desktop Services (RDS) or terminal servers and may be initiated via command-line tools or scripts that invoke mstsc.exe with shadowing parameters.

Severity

Trouble

Rule journey

Attack chain scenario

Initial Access → Privilege Escalation → Discovery → Defense Evasion → Lateral Movement

Impact

• Credential theft
• Lateral Movement
• Data Exfiltration

Rule Requirement

Prerequisites

Using Windows event viewer:
To enable detailed process tracking in a domain environment, log in to a domain controller using domain admin credentials and open the Group Policy Management Console (GPMC). Create or edit a GPO linked to the target OU and navigate to the Advanced Audit Policy Configuration section to enable success auditing for both process creation and termination. To capture command-line details, enable the Include command line in process creation events setting under Audit Process Creation. Additionally, create the Microsoft-Windows-Security-Auditing/Operational registry key in the specified EventLog path to support enhanced auditing.

Using Sysmon:
To enable detailed process monitoring using Sysmon, first download and install it from Microsoft Sysinternals. Run Command Prompt as an administrator and install Sysmon with a configuration file that includes process creation tracking using sysmon.exe -i [configfile.xml]. Ensure your configuration includes a <ProcessCreate> filter to capture all process creation events. Additionally, create the Microsoft-Windows-Sysmon/Operational registry key under the EventLog path if it doesn’t already exist.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Lateral Movement: Remote Service Session Hijacking - RDP Hijacking (T1563.002)

Security Standards

Enabling this rule will help you meet the security standard's requirement listed below:

DE.AE-07 (Cyber threat intelligence and other contextual information are integrated into the analysis)

When this rule is triggered, it alerts you to potential unauthorized MSTSC shadowing activity—especially when performed without user consent.

Author

Florian Roth (Nextron Systems)

Future actions

Known False Positives

Legitimate IT support or helpdesk personnel using MSTSC shadowing for remote assistance during troubleshooting sessions.

Next Steps

When this rule is triggered, the following measures can be implemented:

• Identification: Review the command-line parameters, user context, and session details associated with the MSTSC shadowing activity.
• Analysis: Correlate with audit logs, user access policies, and session timings to determine if the shadowing was authorized or anomalous.
• Response: Correlate with audit logs, user access policies, and session timings to determine if the shadowing was authorized or anomalous.
• Enforce strict RDP access controls: Only allow authorized administrators to initiate MSTSC shadowing, and require MFA where possible.

Mitigation