title: Suspicious TSCON Start status: experimental description: Detects a tscon.exe start as LOCAL SYSTEM references: - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6 author: Florian Roth date: 2018/03/17 tags: - attack.command_and_control - attack.t1219 logsource: category: process_creation product: windows detection: selection: User: NT AUTHORITY\SYSTEM Image: '*\tscon.exe' condition: selection falsepositives: - Unknown level: high