Analytics Alerts
Browse the Cortex analytics alert reference.
1 alert match the current filters. tactic: TA0008 ✕ technique: T1563 ✕
Show ATT&CK heatmapPossible RDP session hijacking using tscon.exe Medium
The executable tscon.exe can be used to hijack other sessions on the same computer. The attacker may use another user's credentials to proceed with the lateral movement or disguise the activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Service Session Hijacking: RDP Hijacking (T1563.002)Required data: XDR AgentAttacker's goals: Attackers might hijack existing sessions on the same host to gain access to private data or leverage the logged-in user credentials to laterally move across the network.Investigative actions: Verify if the executing process is suspicious. Investigate if the interactive user did any more suspicious or malicious actions.