mstsc.exe
- File Path:
C:\WINDOWS\system32\mstsc.exe - Description: Remote Desktop Connection
Screenshot
Hashes
| Type | Hash |
|---|---|
| MD5 | 8C6829F7B1E281B98C1C6166B7E275FE |
| SHA1 | 681E3519689B4FE798311A93A9AB9D63987000DB |
| SHA256 | 82406D460FD405BDFEF00E72769955B05EE89057C00C066296A092FF93348654 |
| SHA384 | BBE2517DEDABC7D0D48587EE00D6337E47DDEDE7EA3F71C664E21033C00115B3D292DF37F6B05FD12A580C9E9F7D48AB |
| SHA512 | 70B0D0E9EB8A373C20794E02DC06F51FC822BD8F25D916702864D2542F7ECCBB818E398B574654F85FFFE00D30599FF7D075C625C0D23A517EE2D0FE106AC71C |
| SSDEEP | 49152:n8bHNdwBllp3zjy0YcqiHZSwco0GVuYckzoTgLRyW+rsRejkHIISXeu0N6yPJmI1:vJ4sR+ps9l3RgHESlaM7qkTn/ZQobeZL |
| IMP | F4874B689BEC803ED9E3B71E4464711F |
| PESHA1 | FB49E465C967208A0F705F9307568478317546A8 |
| PE256 | D6E4C0497F9004A29D1440F1435DEA4E10D20FF6A665BA20053A5A17745E64B1 |
Signature
- Status: Signature verified.
- Serial:
33000002ED2C45E4C145CF48440000000002ED - Thumbprint:
312860D2047EB81F8F58C29FF19ECDB4C634CF6A - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: mstsc.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.22000.1 (WinBuild.160101.0800)
- Product Version: 10.0.22000.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/71
- VirusTotal Link: https://www.virustotal.com/gui/file/82406d460fd405bdfef00e72769955b05ee89057c00c066296a092ff93348654/detection
Possible Misuse
The following table contains possible examples of mstsc.exe being misused. While mstsc.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | file_event_win_tsclient_filewrite_startup.yml | Image\|endswith: '\mstsc.exe' |
DRL 1.0 |
| sigma | net_connection_win_susp_rdp.yml | - '\mstsc.exe' |
DRL 1.0 |
| sigma | proc_creation_win_mimikatz_command_line.yml | - 'mstsc' #ts module |
DRL 1.0 |
| sigma | proc_creation_win_mstsc.yml | title: Remote Desktop Protocol Use Mstsc |
DRL 1.0 |
| sigma | proc_creation_win_mstsc.yml | - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc |
DRL 1.0 |
| sigma | proc_creation_win_mstsc.yml | Image\|endswith: \mstsc.exe |
DRL 1.0 |
| sigma | proc_creation_win_rdp_hijack_shadowing.yml | title: MSTSC Shadowing |
DRL 1.0 |
| sigma | proc_creation_win_rdp_hijack_shadowing.yml | description: Detects RDP session hijacking by using MSTSC shadowing |
DRL 1.0 |
| sigma | registry_event_mstsc_history_cleared.yml | description: Detects the deletion of registry keys containing the MSTSC connection history |
DRL 1.0 |
| atomic-red-team | T1021.001.md | mstsc /v:$Server | MIT License. © 2018 Red Canary |
| atomic-red-team | T1021.001.md | $p=Tasklist /svc /fi “IMAGENAME eq mstsc.exe” /fo csv | convertfrom-csv | MIT License. © 2018 Red Canary |
| signature-base | cn_pentestset_tools.yar | $s1 = “srv\newclient\lib\win32\obj\i386\mstsc.pdb” fullword ascii | CC BY-NC 4.0 |
| signature-base | crime_cn_campaign_njrat.yar | $a2 = “taskkill /f /im mstsc.exe” fullword ascii | CC BY-NC 4.0 |
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
mstsc
Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Creates connections to Remote Desktop Session Host servers or other remote computers, edits an existing Remote Desktop Connection (.rdp) configuration file, and migrates legacy connection files that were created with Client Connection Manager to new .rdp connection files.
Syntax
mstsc.exe [<connectionfile>] [/v:<server>[:<port>]] [/admin] [/f] [/w:<width> /h:<height>] [/public] [/span]
mstsc.exe /edit <connectionfile>
mstsc.exe /migrate
Parameters
| Parameter | Description |
|---|---|
<connectionfile> |
Specifies the name of an .rdp file for the connection. |
/v:<server>[:<port>] |
Specifies the remote computer and, optionally, the port number to which you want to connect. |
| /admin | Connects you to a session for administering the server. |
| /f | Starts Remote Desktop Connection in full-screen mode. |
/w:<width> |
Specifies the width of the Remote Desktop window. |
/h:<height> |
Specifies the height of the Remote Desktop window. |
| /public | Runs Remote Desktop in public mode. In public mode, passwords and bitmaps aren’t cached. |
| /span | Matches the Remote Desktop width and height with the local virtual desktop, spanning across multiple monitors if necessary. |
/edit <connectionfile> |
Opens the specified .rdp file for editing. |
| /migrate | Migrates legacy connection files that were created with Client Connection Manager to new .rdp connection files. |
| /? | Displays help at the command prompt. |
Remarks
-
Default.rdp is stored for each user as a hidden file in the user’s Documents folder.
-
User created .rdp files are saved by default in the user’s Documents folder, but can be saved anywhere.
-
To span across monitors, the monitors must use the same resolution and must be aligned horizontally (that is, side-by-side). There is currently no support for spanning multiple monitors vertically on the client system.
Examples
To connect to a session in full-screen mode, type:
mstsc /f
or
mstsc /v:computer1 /f
To assign width/height, type:
mstsc /v:computer1 /w:1920 /h:1080
To open a file called filename.rdp for editing, type:
mstsc /edit filename.rdp
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.