AN1620: Analytic 1620

Detection of suspicious use of `tscon.exe` or equivalent methods to hijack legitimate RDP sessions. Defenders can observe anomalies such as session reassignments without corresponding authentication, processes spawned in the context of hijacked sessions, or unusual RDP network traffic flows that deviate from expected baselines.

EnterpriseAN1620AnalyticObject v1.0 Modified Nov 12, 2025, 22:03 UTC (UTC+00:00)

This analytic is about spotting suspicious hijacking of legitimate Windows RDP sessions, including misuse of tscon.exe or equivalent session reassignment behavior. The business issue is not just remote access abuse; it is that an attacker may appear to operate inside an already-authenticated user session, which can complicate accountability, incident scoping, and confidence in access-control evidence.

Executive priority

Prioritize this as a Windows remote-access monitoring and incident-readiness question: can the organization prove when an RDP session was reassigned, whether a new authentication occurred, and which processes ran in the resulting user context? This matters for SOC triage, privileged access review, audit evidence, and rapid containment decisions when suspicious remote administration activity is reported.

Technical view

For Windows environments, validate whether telemetry can show tscon.exe execution, session reassignment events, process creation in the context of an existing or reassigned RDP session, and RDP network flows that differ from normal administrative baselines. Because ATT&CK provides no separate detection logic or relationship context for this object, detection engineering should focus on correlating session state changes, authentication records, process ancestry, user context, and remote network activity rather than relying on a single command-line match.

Likely telemetry

Windows process creation telemetry, especially execution of tscon.exe or comparable session-control utilities
Windows authentication and logon/logoff records associated with RDP activity
Terminal Services or remote desktop session state/change telemetry where available
Process ancestry and user-context evidence for processes spawned inside RDP sessions
Network telemetry showing RDP traffic flows and deviations from expected administrative baselines

Detection direction

Correlate session reassignments with authentication events; prioritize cases where session movement occurs without a corresponding expected authentication trail.
Review processes launched after suspicious session reassignment, especially where the user context, parent process, timing, or host role is unusual.
Baseline legitimate RDP administration patterns by user, host, time, and network path to reduce false positives from approved helpdesk or systems administration activity.
Avoid treating tscon.exe execution alone as conclusive; tune for surrounding context such as session changes, RDP flow anomalies, and spawned processes.
Confirm whether logging covers the Windows systems where RDP administration is allowed; missing session telemetry is a material blind spot.

Mitigation priorities

Restrict and monitor RDP administrative access according to business need and privileged access policy.
Ensure Windows logging and central collection can support session reassignment, authentication, process creation, and RDP network-flow review.
Define expected remote administration baselines and exception paths so SOC teams can distinguish approved support activity from suspicious session behavior.
Include RDP session hijack scenarios in incident response playbooks, including evidence preservation for session state, user context, and spawned processes.
Use findings from detection validation to inform identity, access management, and remote administration control improvements.

Analyst notes and limits

The supplied ATT&CK object is a detection analytic for Windows and describes suspicious tscon.exe or equivalent methods used to hijack legitimate RDP sessions. No tactics, relationships, aliases, labels, or official detection logic were supplied, so this take emphasizes defensive validation rather than technique mapping or adversary attribution.

This assessment is limited to the official STIX fields, external reference, and absence of relationships provided. It does not establish active exploitation, attacker groups, prevalence, impact, or guaranteed detection coverage. Local logging configuration, RDP usage patterns, and administrative workflows are required to determine practical coverage and tuning.

Official MITRE ATT&CK definition

Analytic 1620

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Nov 12, 2025, 22:03 UTC (UTC+00:00)
Raw hash: c2e7d6cfbc25b979...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Nov 12, 2025, 22:03 UTC (UTC+00:00)	Current bundle	`c2e7d6cfbc25…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN1620
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use