title: Suspicious TSCON Start
author: Florian Roth
date: 2018/03/17
description: Detects a tscon.exe start as LOCAL SYSTEM
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    User:
    - NT AUTHORITY\SYSTEM*
    - AUTORITE NT\Sys*
  SELECTION_3:
    Image: '*\tscon.exe'
  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unknown
id: 9847f263-4a81-424f-970c-875dab15b79b
level: high
logsource:
  category: process_creation
  product: windows
modified: 2021/08/26
references:
- http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
- https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
status: experimental
tags:
- attack.command_and_control
- attack.t1219
ruletype: SIGMA