Detection of suspicious use of tscon.exe or equivalent methods to hijack legitimate RDP sessions. Defenders can observe anomalies such as session reassignments without corresponding authentication, processes spawned in the context of hijacked sessions, or unusual RDP network traffic flows that deviate from expected baselines.
| Data Component | Name | Channel |
|---|---|---|
| Logon Session Creation (DC0067) | WinEventLog:Security | EventCode=4624, 4634 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Service Creation (DC0060) | WinEventLog:System | EventCode=7045 |
| Field | Description |
|---|---|
| ExpectedRDPHosts | Whitelist of systems and accounts authorized to use RDP; deviations indicate possible hijacking. |
| TimeWindow | Time threshold for correlating logon events with session reassignment and process execution. |
| SessionIDMapping | Environment-specific mapping of user accounts to session IDs; inconsistencies may reveal hijacking. |