Adversaries may hijack a legitimate RDP session to deploy a backdoor via the tsclient share, enabling lateral movement within the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage persistence and lateral movement tactics.
Detection Rule
title: Hijack Legit RDP Session to Move Laterally
id: 52753ea4-b3a0-4365-910d-36cff487b789
status: test
description: Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder
author: Samir Bousseaden
references:
- Internal Research
date: 2019-02-21
modified: 2021-11-27
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: '\mstsc.exe'
TargetFilename|contains: '\Microsoft\Windows\Start Menu\Programs\Startup\'
condition: selection
falsepositives:
- Unlikely
level: high
imFileEvent
| where TargetFilePath endswith "\\mstsc.exe" and TargetFileName contains "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\"Scenario: IT Admin Deploys Scheduled Task for System Maintenance
Description: An IT administrator creates a scheduled task using schtasks.exe to run a legitimate maintenance script on a remote machine via RDP. The script is placed in the startup folder as part of a standard patching process.
Filter/Exclusion: Exclude tasks created by the Administrators group or those with a known maintenance script name (e.g., PatchManager.exe).
Scenario: User Installs Legitimate Remote Desktop Application
Description: A user installs a third-party RDP client (e.g., Royal TSX) and configures it to auto-launch a script in the startup folder for convenience.
Filter/Exclusion: Exclude processes associated with known RDP clients (e.g., RoyalTSX.exe, mstsc.exe) or user-initiated installations.
Scenario: System Restore or Backup Process
Description: A system restore or backup tool (e.g., Veeam Backup & Replication, Acronis True Image) places a temporary script in the startup folder during a restore operation.
Filter/Exclusion: Exclude processes related to backup tools or system restore operations (e.g., VeeamBackup.exe, Acronis.exe).
Scenario: Admin Uses tsclient to Share Folder for Collaboration
Description: An admin uses tsclient to share a folder (e.g., \\RemoteMachine\SharedFolder) with a team for collaborative work, and the share is configured to auto-launch a script in the startup folder.
Filter/Exclusion: Exclude shares created by the Administrators group or those with a specific share name (e.g., CollabShare).
Scenario: Automated Patching Tool Places Script in Startup Folder
Description: A patch