RDP Session Hijacking Using tscon

Rule added on 30th May, 2024

Rule type:

Correlation

Rule description:

Remote Desktop Protocol (RDP) is a common feature in Windows operating system which enables a user to connect remotely to other computers, including servers and desktops.

Attackers may attempt to abuse this feature by hijacking a legitimate user's remote desktop session using tscon utility. Tscon is a windows command-line tool that connects one user session to another on a remote desktop session or helps in switching between multiple active sessions on the same machine, allowing seamless transition between user accounts. Once an attacker has SYSTEM-level permissions, they can hijack active RDP sessions without the need to authenticate with the target user's credentials.

Attack chain scenario: Phishing -> RDP session -> RDP session hijacking using Tscon -> Privilege escalation -> Data exfiltration

Impact:

This can affect the organizations in the following ways:

• Compromise of sensitive data
• Data breach
• Persistence
• Lateral movement

Data source:

Windows > Process Creation

Required configuration: The rule is based on the process creation and termination events. Prerequisites required are installing and configuring Sysmon, enabling audit process creation audit policy, and the command line auditing.

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0008- Lateral Movement

Technique: T1563- Remote Service Session Hijacking

Sub Technique: T1563.002- RDP Hijacking

Criteria:

( (( Process Name endswith "tscon.exe" ) OR (ORIGINALFILENAME contains "tscon")) AND ( Command Line not contains "/password" ) ) AND ( ( Username equals "NT AUTHORITY\SYSTEM" ) OR ( Security Id equals "S-1-5-18" ) )

Attackers may use tscon.exe to connect to inactive sessions remotely without the need of the target user's credentials.

The command-line not contains password would allow the attacker to perform a password less RDP hijacking.

S-1-5-18 - It is the Security Identifier (SID) in Windows that uniquely identifies the SYSTEM account.

When to enable this rule:

Enabling this rule will help you meet the security standard's requirement listed below:

Security standards (NIST CSF 2.0):

PR.PS-06: Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle.

When this rule is triggered, you're notified of a potential RDP session hijacking using tscon. This enables you to review the access and permissions, take corrective measures, such as regularly monitoring the use of tools for any unauthorized accesses.

Known false positives: This rule might be generated when administrators might use it for troubleshooting or managing the remote desktop sessions.

Next steps:

When this alert is triggered, the following measures can be implemented:

• Identification: Identify if the alert is a new incident or part of an existing incident.
• Analysis: Analyze the impact and extent of the compromise to comprehend the severity of the attack.
• Response: Respond promptly by initiating an automated workflow to cease the malicious process.
• Implement Multi-factor Authentication (MFA): Implement MFA on RDP sessions.