T1563.002 RDP Hijacking Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// Part 1: Direct tscon.exe execution — primary indicator of RDP session hijacking
let SuspiciousParents = dynamic(["cmd.exe", "powershell.exe", "powershell_ise.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe"]);
let PrivilegedParents = dynamic(["services.exe", "svchost.exe", "psexec.exe", "psexesvc.exe"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "tscon.exe"
| extend IsSystemContext = (AccountName =~ "SYSTEM" or AccountDomain =~ "NT AUTHORITY")
| extend SuspiciousParent = InitiatingProcessFileName in~ (SuspiciousParents)
| extend PrivilegedParent = InitiatingProcessFileName in~ (PrivilegedParents)
| extend HasSessionArg = ProcessCommandLine matches regex @"tscon\.exe\s+\d+"
| extend HasDestArg = ProcessCommandLine has "/dest:"
| project Timestamp, DeviceName, AccountName, AccountDomain, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         IsSystemContext, SuspiciousParent, PrivilegedParent, HasSessionArg, HasDestArg
| sort by Timestamp desc
| union (
// Part 2: Service creation to run tscon.exe as SYSTEM (privilege escalation vector)
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "sc.exe"
| where ProcessCommandLine has "tscon"
| extend TacticDetail = "Service-based tscon execution — SYSTEM privilege escalation for session hijack"
| project Timestamp, DeviceName, AccountName, AccountDomain, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, TacticDetail
)
| union (
// Part 3: Session enumeration immediately before potential hijack (recon phase)
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("qwinsta.exe", "query.exe")
| where ProcessCommandLine has_any ("session", "user", "/server:")
| extend TacticDetail = "RDP session enumeration — likely precursor to session hijack"
| project Timestamp, DeviceName, AccountName, AccountDomain, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, TacticDetail
)
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Helpdesk and IT support staff using tscon.exe to shadow or take over sessions for authorized remote assistance
RDS session management scripts that reconnect disconnected sessions as part of VDI maintenance workflows
Terminal Services administrators using qwinsta/query session for routine session inventory and cleanup
Automated session management tools for Citrix or RDS environments that legitimately enumerate and transfer sessions

Splunk

spl

| union
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    Image="*\\tscon.exe"
  | eval Detection="tscon_direct_execution"
  | eval IsSystemContext=if(match(User, "(?i)(system|nt authority)"), 1, 0)
  | eval HasSessionArg=if(match(CommandLine, "tscon\.exe\s+\d+"), 1, 0)
  | eval HasDestArg=if(match(CommandLine, "/dest:"), 1, 0)
  | eval SuspiciousParent=if(match(ParentImage, "(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe)"), 1, 0)
  | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
          Detection, IsSystemContext, HasSessionArg, HasDestArg, SuspiciousParent
]
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    Image="*\\sc.exe" CommandLine="*tscon*"
  | eval Detection="service_creation_tscon"
  | eval TacticDetail="Service-based tscon execution for SYSTEM privilege"
  | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, Detection, TacticDetail
]
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    (Image="*\\qwinsta.exe" OR (Image="*\\query.exe" AND (CommandLine="*session*" OR CommandLine="*user*")))
  | eval Detection="rdp_session_enumeration"
  | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, Detection
]
[
  search index=wineventlog sourcetype="WinEventLog:Security"
    (EventCode=4778 OR EventCode=4779)
  | eval Detection=case(
      EventCode=4778, "rdp_session_reconnect",
      EventCode=4779, "rdp_session_disconnect",
      true(), "unknown"
    )
  | eval AccountName=mvindex(Account_Name, 0)
  | eval ClientName=mvindex(Client_Name, 0)
  | eval SessionName=mvindex(Session_Name, 0)
  | table _time, host, AccountName, ClientName, SessionName, EventCode, Detection
]
| sort - _time

high severity high confidence

Data Sources

Process: Process Creation Logon Session: Logon Session Metadata Sysmon Event ID 1 Windows Security Event IDs 4778, 4779

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Helpdesk staff using tscon.exe for authorized remote assistance to end users
RDS or VDI administrators using session management scripts with qwinsta for capacity management
Event IDs 4778/4779 fire on every normal RDP connect and disconnect — high volume environments will need correlation with tscon.exe events to reduce noise
Automated terminal server session management products (Citrix Director, RD Connection Broker) generating session reconnect events

Elastic Security (EQL)

eql

process where event.type == "start" and
  process.name : "tscon.exe" and
  (
    process.parent.name : ("cmd.exe","powershell.exe","powershell_ise.exe","pwsh.exe",
                            "wscript.exe","cscript.exe","mshta.exe","services.exe","svchost.exe") or
    process.args : ("/dest:console","/v","/password:")
  )

high severity high confidence

Data Sources

Windows Process Events

Required Tables

logs-endpoint.events.process-*

False Positives

Helpdesk and IT support staff using tscon.exe to shadow or take over sessions for authorized remote assistance
RDS session management scripts that reconnect disconnected sessions as part of VDI maintenance workflows
Terminal Services administrators using qwinsta/query session for routine session inventory and cleanup
Automated session management tools for Citrix or RDS environments that legitimately enumerate and transfer sessions

IBM QRadar (AQL)

sql

SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') as EventTime,
  logsourcename(logsourceid) as LogSource, username as User,
  "Image" as ProcessImage, "CommandLine" as CommandLine, "ParentImage" as ParentProcess,
  CASE WHEN "ParentImage" ILIKE '%services.exe%' OR "ParentImage" ILIKE '%svchost.exe%' THEN 10
       WHEN "CommandLine" ILIKE '%/dest:console%' THEN 9
       WHEN "ParentImage" ILIKE '%powershell%' THEN 8
       ELSE 6 END as RiskScore
FROM events
WHERE eventid IN (1, 4688)
  AND "Image" ILIKE '%tscon.exe%'
  AND (
    LOWER(coalesce("ParentImage","")) LIKE ANY ('%cmd.exe%','%powershell%','%wscript%','%cscript%',
                                                 '%mshta%','%services.exe%','%svchost%','%psexec%')
    OR "CommandLine" ILIKE '%/dest:console%'
    OR "CommandLine" ILIKE '%/password:%'
  )
ORDER BY RiskScore DESC, EventTime DESC

high severity high confidence

Data Sources

Windows Security Event Log Windows Sysmon

Required Tables

events

False Positives

Helpdesk and IT support staff using tscon.exe to shadow or take over sessions for authorized remote assistance
RDS session management scripts that reconnect disconnected sessions as part of VDI maintenance workflows
Terminal Services administrators using qwinsta/query session for routine session inventory and cleanup
Automated session management tools for Citrix or RDS environments that legitimately enumerate and transfer sessions

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon OR _sourceCategory=windows/security
| json auto
| where EventID in ("1","4688")
| where toLower(coalesce(Image, NewProcessName, "")) matches ".*tscon\.exe$"
| eval ParentLower = toLower(coalesce(ParentImage, ParentProcessName, ""))
| eval CmdLower = toLower(coalesce(CommandLine,""))
| eval is_suspicious = if(
    ParentLower matches ".*(cmd|powershell|wscript|cscript|mshta|services|svchost|psexec).*" OR
    CmdLower matches ".*/dest:console.*" OR CmdLower matches ".*/password:.*",
    1, 0)
| where is_suspicious == 1
| eval risk = if(ParentLower matches ".*(services|svchost).*", "critical",
    if(ParentLower matches ".*(powershell|wscript|psexec).*", "high", "medium"))
| table _time, Computer, User, Image, CommandLine, ParentImage, risk
| sort by _time desc

high severity high confidence

Data Sources

Windows Security Events via Sumo Logic Windows Sysmon via Sumo Logic

Required Tables

windows/sysmon windows/security

False Positives

Helpdesk and IT support staff using tscon.exe to shadow or take over sessions for authorized remote assistance
RDS session management scripts that reconnect disconnected sessions as part of VDI maintenance workflows
Terminal Services administrators using qwinsta/query session for routine session inventory and cleanup
Automated session management tools for Citrix or RDS environments that legitimately enumerate and transfer sessions

Google Chronicle / SecOps

yaral

rule rdp_session_hijacking {
  meta:
    author = "Detection Engineering"
    description = "Detects RDP session hijacking via tscon.exe (T1563.002)"
    severity = "HIGH"
    tactic = "TA0008"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    re.regex($e.target.process.file.full_path, `(?i)tscon\.exe`) nocase
    (
      re.regex($e.principal.process.file.full_path, `(?i)(cmd\.exe|powershell|wscript|cscript|mshta|services\.exe|svchost)`) nocase or
      re.regex($e.target.process.command_line, `(?i)/dest:console|/password:`) nocase
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Windows Process Events via Chronicle UDM

Required Tables

PROCESS_LAUNCH

False Positives

Helpdesk and IT support staff using tscon.exe to shadow or take over sessions for authorized remote assistance
RDS session management scripts that reconnect disconnected sessions as part of VDI maintenance workflows
Terminal Services administrators using qwinsta/query session for routine session inventory and cleanup
Automated session management tools for Citrix or RDS environments that legitimately enumerate and transfer sessions

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ImageFileName = /tscon\.exe$/i
| (ParentBaseFileName = /(cmd|powershell|pwsh|wscript|cscript|mshta|services|svchost|psexec)/i
   OR CommandLine = /(\/dest:console|\/password:)/i)
| eval risk = case {
    ParentBaseFileName = /(services|svchost)/i : "critical";
    CommandLine = /\/dest:console/i : "high";
    ParentBaseFileName = /(powershell|psexec)/i : "high";
    * : "medium"
  }
| table timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, risk
| sort by timestamp desc

high severity high confidence

Data Sources

CrowdStrike Falcon Process Events

Required Tables

ProcessRollup2

False Positives

Helpdesk and IT support staff using tscon.exe to shadow or take over sessions for authorized remote assistance
RDS session management scripts that reconnect disconnected sessions as part of VDI maintenance workflows
Terminal Services administrators using qwinsta/query session for routine session inventory and cleanup
Automated session management tools for Citrix or RDS environments that legitimately enumerate and transfer sessions

RDP Hijacking

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Lateral Movement

Popular Detections