T1563.002 Splunk · SPL

Detect RDP Hijacking in Splunk

Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment. Using tscon.exe with SYSTEM-level privileges, an attacker can steal an active or disconnected RDP session without requiring the target user's credentials or generating visible prompts. This technique enables silent lateral movement between systems and can escalate privileges by inheriting the security context of the hijacked session — including Domain Admin accounts. Common execution vectors include creating a transient Windows service to run tscon.exe as SYSTEM, or using PsExec to elevate to SYSTEM before invoking tscon.exe directly.

MITRE ATT&CK

Tactic
Lateral Movement
Technique
T1563 Remote Service Session Hijacking
Sub-technique
T1563.002 RDP Hijacking
Canonical reference
https://attack.mitre.org/techniques/T1563/002/

SPL Detection Query

Splunk (SPL)
spl 
| union
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    Image="*\\tscon.exe"
  | eval Detection="tscon_direct_execution"
  | eval IsSystemContext=if(match(User, "(?i)(system|nt authority)"), 1, 0)
  | eval HasSessionArg=if(match(CommandLine, "tscon\.exe\s+\d+"), 1, 0)
  | eval HasDestArg=if(match(CommandLine, "/dest:"), 1, 0)
  | eval SuspiciousParent=if(match(ParentImage, "(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe)"), 1, 0)
  | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
          Detection, IsSystemContext, HasSessionArg, HasDestArg, SuspiciousParent
]
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    Image="*\\sc.exe" CommandLine="*tscon*"
  | eval Detection="service_creation_tscon"
  | eval TacticDetail="Service-based tscon execution for SYSTEM privilege"
  | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, Detection, TacticDetail
]
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    (Image="*\\qwinsta.exe" OR (Image="*\\query.exe" AND (CommandLine="*session*" OR CommandLine="*user*")))
  | eval Detection="rdp_session_enumeration"
  | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, Detection
]
[
  search index=wineventlog sourcetype="WinEventLog:Security"
    (EventCode=4778 OR EventCode=4779)
  | eval Detection=case(
      EventCode=4778, "rdp_session_reconnect",
      EventCode=4779, "rdp_session_disconnect",
      true(), "unknown"
    )
  | eval AccountName=mvindex(Account_Name, 0)
  | eval ClientName=mvindex(Client_Name, 0)
  | eval SessionName=mvindex(Session_Name, 0)
  | table _time, host, AccountName, ClientName, SessionName, EventCode, Detection
]
| sort - _time
high severity high confidence

Detects RDP session hijacking via four correlated Splunk search branches: (1) Sysmon EventCode 1 for tscon.exe process creation with contextual fields for SYSTEM context, session arguments, and suspicious parent processes; (2) sc.exe service creation with tscon in command line for SYSTEM privilege escalation; (3) qwinsta/query.exe session enumeration as a reconnaissance precursor; and (4) Windows Security EventCodes 4778 (session reconnect) and 4779 (session disconnect) which capture the resulting session state changes. Security Event IDs 4778/4779 are particularly valuable as they log the account whose session was affected and the originating client name.

Data Sources

Process: Process CreationLogon Session: Logon Session MetadataSysmon Event ID 1Windows Security Event IDs 4778, 4779

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/OperationalWinEventLog:Security

False Positives & Tuning

  • Helpdesk staff using tscon.exe for authorized remote assistance to end users
  • RDS or VDI administrators using session management scripts with qwinsta for capacity management
  • Event IDs 4778/4779 fire on every normal RDP connect and disconnect — high volume environments will need correlation with tscon.exe events to reduce noise
  • Automated terminal server session management products (Citrix Director, RD Connection Broker) generating session reconnect events
Download portable Sigma rule (.yml)

Other platforms for T1563.002

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1RDP Session Enumeration via qwinsta

    Expected signal: Sysmon Event ID 1: Process Create with Image=qwinsta.exe and CommandLine='qwinsta /server:localhost'. Security Event ID 4688 (if command line auditing enabled). The output lists all sessions with session IDs — an attacker visually inspects for disconnected sessions owned by privileged accounts.

  2. Test 2Direct tscon.exe Session Hijack Attempt

    Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\tscon.exe and CommandLine='tscon.exe 2 /dest:rdp-tcp#0'. Security Event ID 4688 with same details (if command line auditing enabled). The command will likely fail with 'Access is denied' when not running as SYSTEM — the process creation event fires regardless of outcome.

  3. Test 3Service-Based tscon.exe Execution for SYSTEM Privilege

    Expected signal: Sysmon Event ID 1: Process Create for sc.exe with CommandLine containing 'create HijackSvc' and 'tscon'. Windows Security Event ID 7045 (New Service Installed) with ServiceName='HijackSvc' and ServiceFileName containing 'tscon'. Sysmon Event ID 1 for the spawned cmd.exe and tscon.exe processes running under SYSTEM context. Security Event ID 4697 (service installed) in Security log.

  4. Test 4RDP Session Enumeration via query.exe

    Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\query.exe and CommandLine='query session /server:localhost'. Security Event ID 4688 if command line auditing enabled. Output is functionally identical to qwinsta, listing session IDs and account names.

Last updated: 2026-03-12 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1563.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1563Remote Service Session Hijacking

Related Sub-techniques

T1563.001SSH Hijacking

Related Techniques

T1563Remote Service Session HijackingT1563.001SSH HijackingT1021.001Remote Desktop ProtocolT1078Valid AccountsT1134.001Token Impersonation/TheftT1134.002Create Process with TokenT1543.003Windows ServiceT1018Remote System DiscoveryT1087Account DiscoveryT1110Brute Force

Same Tactic: Lateral Movement

Popular Detections