Suspicious RDP Redirect Using TSCON

 1title: Suspicious RDP Redirect Using TSCON
 2id: f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb
 3status: test
 4description: Detects a suspicious RDP session redirect using tscon.exe
 5references:
 6    - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
 7    - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
 8    - https://www.hackingarticles.in/rdp-session-hijacking-with-tscon/
 9author: Florian Roth (Nextron Systems)
10date: 2018/03/17
11modified: 2023/05/16
12tags:
13    - attack.lateral_movement
14    - attack.t1563.002
15    - attack.t1021.001
16    - car.2013-07-002
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection:
22        CommandLine|contains: ' /dest:rdp-tcp#'
23    condition: selection
24falsepositives:
25    - Unknown
26level: high

References

• Passwordless RDP Session Hijacking Feature All Windows versions

  

  0-day or feature? All windows privilege escalation / session hijacking.

  
  Read More

• RDP hijacking — how to hijack RDS and RemoteApp sessions transparently to move through an…

  

  How you can very easily use Remote Desktop Services to gain lateral movement through a network, using no external software — and how to…

  
  Read More

• RDP Session Hijacking with tscon - Hacking Articles

  

  In this article, we will learn to hijack an RDP session using various methods. This is a part of Lateral movement which is a technique

  
  Read More

Related rules

• RDP Login from Localhost
• Scanner PoC for CVE-2019-0708 RDP RCE Vuln
• Potential RDP Exploit CVE-2019-0708
• Terminal Service Process Spawn
• Potential MSTSC Shadowing Activity