title: RDP Hijacking (T1563.002)
id: df00tech-t1563-002
status: experimental
description: "Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment. Using tscon.exe with SYSTEM-level privileges, an attacker can steal an active or disconnected RDP session without requiring the target user's credentials or generating visible prompts. This technique enables silent lateral movement between systems and can escalate privileges by inheriting the security context of the hijacked session — including Domain Admin accounts. Common execution vectors include creating a transient Windows service to run tscon.exe as SYSTEM, or using PsExec to elevate to SYSTEM before invoking tscon.exe directly."
references:
  - https://attack.mitre.org/techniques/T1563/002/
  - https://df00tech.com/detections/T1563.002
author: df00tech
date: 2026/03/12
tags:
  - attack.t1563.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Helpdesk and IT support staff using tscon.exe to shadow or take over sessions for authorized remote assistance
  - RDS session management scripts that reconnect disconnected sessions as part of VDI maintenance workflows
  - Terminal Services administrators using qwinsta/query session for routine session inventory and cleanup
  - Automated session management tools for Citrix or RDS environments that legitimately enumerate and transfer sessions
level: high