Suspicious RDP Redirect Using TSCON
Detects a suspicious RDP session redirect using tscon.exe
Sigma rule (View on GitHub)
1title: Suspicious RDP Redirect Using TSCON
2id: f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb
3status: test
4description: Detects a suspicious RDP session redirect using tscon.exe
5references:
6 - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
7 - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
8 - https://www.hackingarticles.in/rdp-session-hijacking-with-tscon/
9author: Florian Roth (Nextron Systems)
10date: 2018-03-17
11modified: 2023-05-16
12tags:
13 - attack.lateral-movement
14 - attack.t1563.002
15 - attack.t1021.001
16 - car.2013-07-002
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection:
22 CommandLine|contains: ' /dest:rdp-tcp#'
23 condition: selection
24falsepositives:
25 - Unknown
26level: high
References
Related rules
- Outbound RDP Connections Over Non-Standard Tools
- RDP Login from Localhost
- RDP Over Reverse SSH Tunnel
- RDP over Reverse SSH Tunnel WFP
- RDP to HTTP or HTTPS Target Ports