Detect RDP Hijacking in Microsoft Sentinel
Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment. Using tscon.exe with SYSTEM-level privileges, an attacker can steal an active or disconnected RDP session without requiring the target user's credentials or generating visible prompts. This technique enables silent lateral movement between systems and can escalate privileges by inheriting the security context of the hijacked session — including Domain Admin accounts. Common execution vectors include creating a transient Windows service to run tscon.exe as SYSTEM, or using PsExec to elevate to SYSTEM before invoking tscon.exe directly.
MITRE ATT&CK
- Tactic
- Lateral Movement
- Technique
- T1563 Remote Service Session Hijacking
- Sub-technique
- T1563.002 RDP Hijacking
- Canonical reference
- https://attack.mitre.org/techniques/T1563/002/
KQL Detection Query
// Part 1: Direct tscon.exe execution — primary indicator of RDP session hijacking
let SuspiciousParents = dynamic(["cmd.exe", "powershell.exe", "powershell_ise.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe"]);
let PrivilegedParents = dynamic(["services.exe", "svchost.exe", "psexec.exe", "psexesvc.exe"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "tscon.exe"
| extend IsSystemContext = (AccountName =~ "SYSTEM" or AccountDomain =~ "NT AUTHORITY")
| extend SuspiciousParent = InitiatingProcessFileName in~ (SuspiciousParents)
| extend PrivilegedParent = InitiatingProcessFileName in~ (PrivilegedParents)
| extend HasSessionArg = ProcessCommandLine matches regex @"tscon\.exe\s+\d+"
| extend HasDestArg = ProcessCommandLine has "/dest:"
| project Timestamp, DeviceName, AccountName, AccountDomain, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
IsSystemContext, SuspiciousParent, PrivilegedParent, HasSessionArg, HasDestArg
| sort by Timestamp desc
| union (
// Part 2: Service creation to run tscon.exe as SYSTEM (privilege escalation vector)
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "sc.exe"
| where ProcessCommandLine has "tscon"
| extend TacticDetail = "Service-based tscon execution — SYSTEM privilege escalation for session hijack"
| project Timestamp, DeviceName, AccountName, AccountDomain, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine, TacticDetail
)
| union (
// Part 3: Session enumeration immediately before potential hijack (recon phase)
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("qwinsta.exe", "query.exe")
| where ProcessCommandLine has_any ("session", "user", "/server:")
| extend TacticDetail = "RDP session enumeration — likely precursor to session hijack"
| project Timestamp, DeviceName, AccountName, AccountDomain, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine, TacticDetail
)
| sort by Timestamp descDetects RDP session hijacking (T1563.002) via three correlated signals in Microsoft Defender for Endpoint: (1) direct execution of tscon.exe — the Windows binary used to transfer session ownership — especially when run as SYSTEM or from suspicious parent processes; (2) service creation (sc.exe) with tscon.exe in the command line, the classic privilege escalation approach to achieve SYSTEM context required for hijacking; and (3) RDP session enumeration via qwinsta.exe or query.exe, which typically precedes the hijack. Correlating all three signals within a time window strongly indicates adversarial activity.
Data Sources
Required Tables
False Positives & Tuning
- Helpdesk and IT support staff using tscon.exe to shadow or take over sessions for authorized remote assistance
- RDS session management scripts that reconnect disconnected sessions as part of VDI maintenance workflows
- Terminal Services administrators using qwinsta/query session for routine session inventory and cleanup
- Automated session management tools for Citrix or RDS environments that legitimately enumerate and transfer sessions
Other platforms for T1563.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1RDP Session Enumeration via qwinsta
Expected signal: Sysmon Event ID 1: Process Create with Image=qwinsta.exe and CommandLine='qwinsta /server:localhost'. Security Event ID 4688 (if command line auditing enabled). The output lists all sessions with session IDs — an attacker visually inspects for disconnected sessions owned by privileged accounts.
- Test 2Direct tscon.exe Session Hijack Attempt
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\tscon.exe and CommandLine='tscon.exe 2 /dest:rdp-tcp#0'. Security Event ID 4688 with same details (if command line auditing enabled). The command will likely fail with 'Access is denied' when not running as SYSTEM — the process creation event fires regardless of outcome.
- Test 3Service-Based tscon.exe Execution for SYSTEM Privilege
Expected signal: Sysmon Event ID 1: Process Create for sc.exe with CommandLine containing 'create HijackSvc' and 'tscon'. Windows Security Event ID 7045 (New Service Installed) with ServiceName='HijackSvc' and ServiceFileName containing 'tscon'. Sysmon Event ID 1 for the spawned cmd.exe and tscon.exe processes running under SYSTEM context. Security Event ID 4697 (service installed) in Security log.
- Test 4RDP Session Enumeration via query.exe
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\query.exe and CommandLine='query session /server:localhost'. Security Event ID 4688 if command line auditing enabled. Output is functionally identical to qwinsta, listing session IDs and account names.
References (11)
- https://attack.mitre.org/techniques/T1563/002/
- https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
- http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
- https://github.com/nccgroup/redsnarf
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/tscon
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/qwinsta
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4778
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4779
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md
- https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
- https://www.logrhythm.com/blog/a-defenders-guide-for-ryuk-ransomware/
Unlock Pro Content
Get the full detection package for T1563.002 including response playbook, investigation guide, and atomic red team tests.