{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/shadowing/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows NT","Microsoft Defender XDR","Elastic Endgame","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["high"],"_cs_tags":["rdp","shadowing","lateral-movement","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies the modification of the Remote Desktop Protocol (RDP) Shadow registry or the execution of processes indicative of an active RDP shadowing session. The rule aims to detect adversaries abusing the RDP Shadowing feature to monitor or control other users\u0026rsquo; active RDP sessions. The rule leverages data from various sources including endpoint logs, Windows event logs (Sysmon), Elastic Endgame, Microsoft Defender XDR, and SentinelOne Cloud Funnel. RDP Shadowing can be abused to gain unauthorized access to sensitive information or perform malicious actions on behalf of the user.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system via compromised credentials or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the RDP Shadow registry key to enable shadowing without user consent (e.g., setting the \u003ccode\u003eShadow\u003c/code\u003e value to \u003ccode\u003e2\u003c/code\u003e or \u003ccode\u003e4\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003emstsc.exe\u003c/code\u003e with the \u003ccode\u003e/shadow\u003c/code\u003e parameter to initiate a shadowing session of a target user\u0026rsquo;s RDP session. The attacker may also use the \u003ccode\u003e/control\u003c/code\u003e or \u003ccode\u003e/noConsentPrompt\u003c/code\u003e to further stealth their activities.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker may execute \u003ccode\u003eRdpSaUacHelper.exe\u003c/code\u003e or \u003ccode\u003eRdpSaProxy.exe\u003c/code\u003e processes, typically launched by \u003ccode\u003esvchost.exe\u003c/code\u003e, on the target system to facilitate the shadowing connection.\u003c/li\u003e\n\u003cli\u003eThe system allows the attacker to view and potentially control the target user\u0026rsquo;s session.\u003c/li\u003e\n\u003cli\u003eThe attacker monitors user activity, steals credentials, or performs other malicious actions within the compromised session.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to maintain persistence by ensuring that the modified registry settings remain in place.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful RDP shadowing can lead to unauthorized access to sensitive data, credential theft, and the ability to perform malicious actions on behalf of the compromised user. This can result in financial loss, data breaches, and reputational damage. The number of victims and sectors targeted depends on the scope of the attacker\u0026rsquo;s initial access and the value of the targeted user\u0026rsquo;s session.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor registry modifications related to the RDP Shadow key and alert on unexpected changes using the Sigma rule \u003ccode\u003eDetect RDPSaUacHelper or RDPSaProxy Execution\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDetect the execution of \u003ccode\u003emstsc.exe\u003c/code\u003e with the \u003ccode\u003e/shadow\u003c/code\u003e parameter to identify potential shadowing attempts using the Sigma rule \u003ccode\u003eDetect RDP Shadow Registry Modification\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging and process creation logging to capture the necessary data for the Sigma rules above.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts related to RDP shadowing promptly to determine if the activity is legitimate or malicious.\u003c/li\u003e\n\u003cli\u003eReview and restrict RDP shadow permissions to limit who can shadow sessions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T17:46:23Z","date_published":"2026-05-12T17:46:23Z","id":"https://feed.craftedsignal.io/briefs/2026-05-potential-rdp-shadowing/","summary":"This brief detects potential remote desktop shadowing activity by identifying modifications to the RDP Shadow registry or the execution of processes indicative of an active RDP shadowing session, which adversaries may abuse to spy on or control other users' RDP sessions.","title":"Potential Remote Desktop Shadowing Activity","url":"https://feed.craftedsignal.io/briefs/2026-05-potential-rdp-shadowing/"}],"language":"en","title":"CraftedSignal Threat Feed — Shadowing","version":"https://jsonfeed.org/version/1.1"}