Suspicious TSCON Start as SYSTEM

 1title: Suspicious TSCON Start as SYSTEM
 2id: 9847f263-4a81-424f-970c-875dab15b79b
 3status: test
 4description: Detects a tscon.exe start as LOCAL SYSTEM
 5references:
 6    - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
 7    - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
 8    - https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement
 9author: Florian Roth (Nextron Systems)
10date: 2018-03-17
11modified: 2022-05-27
12tags:
13    - attack.command-and-control
14    - attack.t1219
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection:
20        User|contains: # covers many language settings
21            - 'AUTHORI'
22            - 'AUTORI'
23        Image|endswith: '\tscon.exe'
24    condition: selection
25falsepositives:
26    - Unknown
27level: high

References

• Passwordless RDP Session Hijacking Feature All Windows versions

  

  0-day or feature? All windows privilege escalation / session hijacking.

  
  Read More

• RDP hijacking — how to hijack RDS and RemoteApp sessions transparently to move through an…

  

  How you can very easily use Remote Desktop Services to gain lateral movement through a network, using no external software — and how to…

  
  Read More

• RDP Hijacking for Lateral Movement with tscon | Red Team Notes

  

  This lab explores a technique that allows a SYSTEM account to move laterally through the network using RDP without the need for credentials.

  
  Read More

Related rules

• Anydesk Temporary Artefact
• DNS Query To AzureWebsites.NET By Non-Browser Process
• GoToAssist Temporary Installation Artefact
• HackTool - Inveigh Execution Artefacts
• HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators