Detect RDP Hijacking in IBM QRadar
Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment. Using tscon.exe with SYSTEM-level privileges, an attacker can steal an active or disconnected RDP session without requiring the target user's credentials or generating visible prompts. This technique enables silent lateral movement between systems and can escalate privileges by inheriting the security context of the hijacked session — including Domain Admin accounts. Common execution vectors include creating a transient Windows service to run tscon.exe as SYSTEM, or using PsExec to elevate to SYSTEM before invoking tscon.exe directly.
MITRE ATT&CK
- Tactic
- Lateral Movement
- Technique
- T1563 Remote Service Session Hijacking
- Sub-technique
- T1563.002 RDP Hijacking
- Canonical reference
- https://attack.mitre.org/techniques/T1563/002/
QRadar Detection Query
SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') as EventTime,
logsourcename(logsourceid) as LogSource, username as User,
"Image" as ProcessImage, "CommandLine" as CommandLine, "ParentImage" as ParentProcess,
CASE WHEN "ParentImage" ILIKE '%services.exe%' OR "ParentImage" ILIKE '%svchost.exe%' THEN 10
WHEN "CommandLine" ILIKE '%/dest:console%' THEN 9
WHEN "ParentImage" ILIKE '%powershell%' THEN 8
ELSE 6 END as RiskScore
FROM events
WHERE eventid IN (1, 4688)
AND "Image" ILIKE '%tscon.exe%'
AND (
LOWER(coalesce("ParentImage","")) LIKE ANY ('%cmd.exe%','%powershell%','%wscript%','%cscript%',
'%mshta%','%services.exe%','%svchost%','%psexec%')
OR "CommandLine" ILIKE '%/dest:console%'
OR "CommandLine" ILIKE '%/password:%'
)
ORDER BY RiskScore DESC, EventTime DESCDetects RDP session hijacking via tscon.exe from suspicious parent processes in QRadar.
Data Sources
Required Tables
False Positives & Tuning
- Helpdesk and IT support staff using tscon.exe to shadow or take over sessions for authorized remote assistance
- RDS session management scripts that reconnect disconnected sessions as part of VDI maintenance workflows
- Terminal Services administrators using qwinsta/query session for routine session inventory and cleanup
- Automated session management tools for Citrix or RDS environments that legitimately enumerate and transfer sessions
Other platforms for T1563.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1RDP Session Enumeration via qwinsta
Expected signal: Sysmon Event ID 1: Process Create with Image=qwinsta.exe and CommandLine='qwinsta /server:localhost'. Security Event ID 4688 (if command line auditing enabled). The output lists all sessions with session IDs — an attacker visually inspects for disconnected sessions owned by privileged accounts.
- Test 2Direct tscon.exe Session Hijack Attempt
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\tscon.exe and CommandLine='tscon.exe 2 /dest:rdp-tcp#0'. Security Event ID 4688 with same details (if command line auditing enabled). The command will likely fail with 'Access is denied' when not running as SYSTEM — the process creation event fires regardless of outcome.
- Test 3Service-Based tscon.exe Execution for SYSTEM Privilege
Expected signal: Sysmon Event ID 1: Process Create for sc.exe with CommandLine containing 'create HijackSvc' and 'tscon'. Windows Security Event ID 7045 (New Service Installed) with ServiceName='HijackSvc' and ServiceFileName containing 'tscon'. Sysmon Event ID 1 for the spawned cmd.exe and tscon.exe processes running under SYSTEM context. Security Event ID 4697 (service installed) in Security log.
- Test 4RDP Session Enumeration via query.exe
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\query.exe and CommandLine='query session /server:localhost'. Security Event ID 4688 if command line auditing enabled. Output is functionally identical to qwinsta, listing session IDs and account names.
References (11)
- https://attack.mitre.org/techniques/T1563/002/
- https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
- http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
- https://github.com/nccgroup/redsnarf
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/tscon
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/qwinsta
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4778
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4779
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md
- https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
- https://www.logrhythm.com/blog/a-defenders-guide-for-ryuk-ransomware/
Unlock Pro Content
Get the full detection package for T1563.002 including response playbook, investigation guide, and atomic red team tests.