Product
This brief detects potential remote desktop shadowing activity by identifying modifications to the RDP Shadow registry or the execution of processes indicative of an active RDP shadowing session, which adversaries may abuse to spy on or control other users' RDP sessions.