DET0588 Detection fo Remote Service Session Hijacking for RDP.

Item	Value
ID	DET0588
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1563.002 (RDP Hijacking)

Analytics

Windows

AN1620

Detection of suspicious use of tscon.exe or equivalent methods to hijack legitimate RDP sessions. Defenders can observe anomalies such as session reassignments without corresponding authentication, processes spawned in the context of hijacked sessions, or unusual RDP network traffic flows that deviate from expected baselines.

Log Sources

Data Component	Name	Channel
Logon Session Creation (DC0067)	WinEventLog:Security	EventCode=4624, 4648
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
Network Connection Creation (DC0082)	WinEventLog:Sysmon	EventCode=3, 22
Service Creation (DC0060)	WinEventLog:System	EventCode=7045

Mutable Elements

Field	Description
ExpectedRDPHosts	Whitelist of systems and accounts authorized to use RDP; deviations indicate possible hijacking.
TimeWindow	Time threshold for correlating logon events with session reassignment and process execution.
SessionIDMapping	Environment-specific mapping of user accounts to session IDs; inconsistencies may reveal hijacking.