mstsc.exe

  • File Path: C:\Windows\system32\mstsc.exe
  • Description: Remote Desktop Connection

Screenshot

mstsc.exe mstsc.exe mstsc.exe

Hashes

Type Hash
MD5 3A26640414CEE37FF5B36154B1A0B261
SHA1 E0C28B5FDF53A202A7543B67BBC97214BAD490ED
SHA256 1D1B6B2EDAC7AC6494C9EECDA3AFB804F679D7190F4D1A80929380E85743823F
SHA384 790E48ADFA8DB0054028F5A0609B4DAF8D18881192D8464DA8AC117CDF83A1331D9CD0EBC252895F75956B6A090ED198
SHA512 76FC70EAD57DDACD3DBCEC1A4772BD46924D30B30018A36B13052D2F7272CC86B63BF85D5E4EC04AAC08630D4B2637CA6E7D35C08CE6B675D63ED011F7D95BA2
SSDEEP 24576:F1h+4DCd1MiEvi6wMUQ5/qOHTTinTysuJb3Ov2nh7uRXXGIGdcI1Sdp1v302TKGa:vh+4DCnMiEvi6wM5dqOHP0TY93Ov2nhw
IMP 8ED9FD7812149E8C5396DE875FB2685E
PESHA1 D36D91D48EDB351D85FE3050163869280F008403
PE256 94CFB49380D93A3173CB5272D5B812A2991ADB37382000E233197484D6FF3F0A

Signature

  • Status: Signature verified.
  • Serial: 33000002EC6579AD1E670890130000000002EC
  • Thumbprint: F7C2F2C96A328C13CDA8CDB57B715BDEA2CBD1D9
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: mstsc.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/1d1b6b2edac7ac6494c9eecda3afb804f679d7190f4d1a80929380e85743823f/detection

Possible Misuse

The following table contains possible examples of mstsc.exe being misused. While mstsc.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma file_event_win_tsclient_filewrite_startup.yml Image\|endswith: '\mstsc.exe' DRL 1.0
sigma net_connection_win_susp_rdp.yml - '\mstsc.exe' DRL 1.0
sigma proc_creation_win_mimikatz_command_line.yml - 'mstsc' #ts module DRL 1.0
sigma proc_creation_win_mstsc.yml title: Remote Desktop Protocol Use Mstsc DRL 1.0
sigma proc_creation_win_mstsc.yml - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc DRL 1.0
sigma proc_creation_win_mstsc.yml Image\|endswith: \mstsc.exe DRL 1.0
sigma proc_creation_win_rdp_hijack_shadowing.yml title: MSTSC Shadowing DRL 1.0
sigma proc_creation_win_rdp_hijack_shadowing.yml description: Detects RDP session hijacking by using MSTSC shadowing DRL 1.0
sigma registry_event_mstsc_history_cleared.yml description: Detects the deletion of registry keys containing the MSTSC connection history DRL 1.0
atomic-red-team T1021.001.md mstsc /v:$Server MIT License. © 2018 Red Canary
atomic-red-team T1021.001.md $p=Tasklist /svc /fi “IMAGENAME eq mstsc.exe” /fo csv | convertfrom-csv MIT License. © 2018 Red Canary
signature-base cn_pentestset_tools.yar $s1 = “srv\newclient\lib\win32\obj\i386\mstsc.pdb” fullword ascii CC BY-NC 4.0
signature-base crime_cn_campaign_njrat.yar $a2 = “taskkill /f /im mstsc.exe” fullword ascii CC BY-NC 4.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


mstsc

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Creates connections to Remote Desktop Session Host servers or other remote computers, edits an existing Remote Desktop Connection (.rdp) configuration file, and migrates legacy connection files that were created with Client Connection Manager to new .rdp connection files.

Syntax

mstsc.exe [<connectionfile>] [/v:<server>[:<port>]] [/admin] [/f] [/w:<width> /h:<height>] [/public] [/span]
mstsc.exe /edit <connectionfile>
mstsc.exe /migrate

Parameters

Parameter Description
<connectionfile> Specifies the name of an .rdp file for the connection.
/v:<server>[:<port>] Specifies the remote computer and, optionally, the port number to which you want to connect.
/admin Connects you to a session for administering the server.
/f Starts Remote Desktop Connection in full-screen mode.
/w:<width> Specifies the width of the Remote Desktop window.
/h:<height> Specifies the height of the Remote Desktop window.
/public Runs Remote Desktop in public mode. In public mode, passwords and bitmaps aren’t cached.
/span Matches the Remote Desktop width and height with the local virtual desktop, spanning across multiple monitors if necessary.
/edit <connectionfile> Opens the specified .rdp file for editing.
/migrate Migrates legacy connection files that were created with Client Connection Manager to new .rdp connection files.
/? Displays help at the command prompt.
Remarks
  • Default.rdp is stored for each user as a hidden file in the user’s Documents folder.

  • User created .rdp files are saved by default in the user’s Documents folder, but can be saved anywhere.

  • To span across monitors, the monitors must use the same resolution and must be aligned horizontally (that is, side-by-side). There is currently no support for spanning multiple monitors vertically on the client system.

Examples

To connect to a session in full-screen mode, type:

mstsc /f

or

mstsc /v:computer1 /f

To assign width/height, type:

mstsc /v:computer1 /w:1920 /h:1080

To open a file called filename.rdp for editing, type:

mstsc /edit filename.rdp

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.