Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

1 alert match the current filters. technique: T1563 ✕

Show ATT&CK heatmap
  • Possible RDP session hijacking using tscon.exe Medium

    The executable tscon.exe can be used to hijack other sessions on the same computer. The attacker may use another user's credentials to proceed with the lateral movement or disguise the activity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Service Session Hijacking: RDP Hijacking (T1563.002)
    Required data: XDR Agent
    Attacker's goals: Attackers might hijack existing sessions on the same host to gain access to private data or leverage the logged-in user credentials to laterally move across the network.
    Investigative actions: Verify if the executing process is suspicious. Investigate if the interactive user did any more suspicious or malicious actions.