Microsoft Defender Alert Details
Alert ID: MD-RDP-HIJACK-1563-7842 Alert Time: 2024-02-26 11:30:22 EST Severity: HIGH (88/100) Source: Microsoft Defender for Endpoint Rule: “RDP Session Hijacking Attempt Detected” MITRE ATT&CK: T1563.002 – Remote Service Session Hijacking: RDP Hijacking
Alert Details:
Detection: Attempt to hijack existing RDP session via tscon.exe
Host: IT-WS-034 (IT Workstation) User: bjones (Brian Jones, IT Admin) Time: 11:25 EST
Process Tree:
explorer.exe (PID: 2341)
cmd.exe (PID: 4789)
tscon.exe (PID: 4792)
Command: tscon 2 /dest:console
Target Session: 2 (active RDP session of another user)
Additional Context:
Session 2 belongs to user msmith (IT Admin) connected remotely
tscon.exe used to switch to another session
Requires SYSTEM privileges or SeTcbPrivilege
Attacker attempting to hijack active admin session
Detection Logic:
tscon.exe executed by non-SYSTEM process (cmd.exe as bjones)
Target session belongs to another user
Command used for session hijacking
User bjones should not have privilege to switch sessions
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Defender alert
Microsoft 365 Defender
Confirmed tscon.exe execution for session hijacking
2. Session Check
Identify active sessions on host
quser /server:IT-WS-034
Session 2 (msmith) active; session 1 (bjones) active
3. User Interview
Contact bjones
Teams, Phone
User did not run tscon (account compromised)
4. Immediate Action
Isolate host
CrowdStrike
IT-WS-034 quarantined
5. Account Remediation
Disable bjones account
Azure AD, AD
Account disabled
6. Session Termination
Log off all sessions
PowerShell
All sessions terminated
Jira Incident Report
Ticket: SOC-2024-133 Summary: T1563 – RDP Session Hijacking Attempt via tscon.exe Status: RESOLVED Resolution: MALICIOUS – Hijacking Blocked Priority: P1 – CRITICAL Labels: T1563, session-hijacking, rdp, tscon, defender, lateral-movement Components: Endpoint-Security, Identity-Management
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Microsoft Defender for Endpoint.
Alert: “RDP Session Hijacking Attempt Detected”.
Host: IT-WS-034 (IT Workstation).
User (apparent): bjones (IT Admin).
Target Session: Session 2 (user msmith).
Time: 2024-02-26 11:30 EST.
Technique: MITRE ATT&CK T1563.002 – Remote Service Session Hijacking: RDP Hijacking.
2. Technical Analysis:
Attack Chain:
10:30 – bjones account compromised via phishing
10:45 – Attacker logs into IT-WS-034 via RDP
11:00 – Attacker enumerates active sessions (quser)
11:05 – Identifies session 2 (msmith) as target
11:25 – Attacker attempts tscon 2 /dest:console
11:25 – Defender detects and blocks
Session Hijacking Technique:
tscon.exe is legitimate Windows tool to switch sessions
Requires high privileges (SeTcbPrivilege) or SYSTEM
Attacker attempted to take over msmith’s session without password
If successful, would gain access to msmith’s applications and data
Privilege Requirements:
tscon normally requires SYSTEM or SeTcbPrivilege
Attacker may have elevated privileges via exploit
bjones account had local admin rights (should not have SeTcbPrivilege)
Outcome:
Attempt detected before success
No session takeover occurred
3. Investigation Findings:
Timeline:
10:30 – bjones account compromised
10:45 – Attacker logs in
11:00-11:25 – Reconnaissance and attempt
11:25 – Defender alert
11:27 – SOC investigates
11:28 – Host isolated
11:29 – bjones account disabled
11:30 – All sessions terminated
Indicators of Compromise (IoCs):
Commands:
– quser
– tscon 2 /dest:console
Account:
– bjones (compromised)
Host:
– IT-WS-034
4. Containment Actions:
Immediate Actions:
Isolated IT-WS-034 via CrowdStrike.
Disabled bjones account.
Terminated all active sessions.
Reset bjones password.
Host Remediation:
Full scan (no other malware).
Verified no persistence.
Reimaged as precaution.
User msmith:
Notified; password reset as precaution.
5. Root Cause Analysis:
Primary Cause: bjones account compromised via phishing.
Contributing Factors:
No MFA on admin account.
User had local admin rights (excessive).
RDP session hijacking possible due to weak session permissions.
6. Business Impact:
Operational Impact: IT workstation offline; two admins affected.
Security Impact: Hijacking prevented; no unauthorized access.
7. Remediation & Prevention:
Completed Actions:
Account secured.
Host cleaned.
Hijacking prevented.
Technical Controls Enhanced:
Restricted use of tscon.exe via AppLocker.
Enforced MFA for all admins.
Implemented RDP session restrictions (timeouts, single session).
Enhanced monitoring for tscon execution.
8. Conclusion:
An attacker compromised an IT admin account and attempted to hijack another admin’s active RDP session using tscon.exe. Defender detected the suspicious process execution and enabled rapid containment before the hijacking could succeed.
Closure Rationale: Hijacking prevented; account secured; host cleaned.
Analyst: [Walter White], SOC Analyst Date: 2024-02-26 12:30 EST