Tag
This rule detects potential Remote Desktop Shadowing activity by identifying modifications to the RDP Shadow registry or the execution of processes indicative of an active RDP shadowing session that allows adversaries to spy on or control other user's RDP sessions.