tscon.exe

  • File Path: C:\windows\system32\tscon.exe
  • Description: Session Connection Utility

Hashes

Type Hash
MD5 074538506BFAE9C0087C246AB3C59218
SHA1 A8DBB83381DD40A76CFD4F0B5A21C42991597408
SHA256 9A47AAFC2C4104733BD3C6D7F8458D1F7669496DF2C0EABC2C8D0BE75FEEB129
SHA384 F1CEA9343C1FB687001BB9E70E65AA916D659AEA82DD4719E385E09F0E3BD332B65325C10C8097B5EFA54F2540BB0895
SHA512 41BDB2DA92F0F2F3BAB90EE619588772E9741FB61C31F348D7967AAF4EA39173104713AFD2BE11151812736F211A064A5EBB3439EBDF3B89C93AF1CCBEC1FF62
SSDEEP 384:DkDdlQS/hFkOcDz6N4s7vyOCE155bjSkF9cyF9x2M/sD2VcobeeO5zWjPgW:Dolv/TrAmVzV9WO9cod/uAO5s

Signature

  • Status: The file C:\windows\system32\tscon.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: tscon.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 6.3.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of tscon.exe being misused. While tscon.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_susp_tscon_localsystem.yml title: Suspicious TSCON Start as SYSTEM DRL 1.0
sigma proc_creation_win_susp_tscon_localsystem.yml description: Detects a tscon.exe start as LOCAL SYSTEM DRL 1.0
sigma proc_creation_win_susp_tscon_localsystem.yml Image\|endswith: '\tscon.exe' DRL 1.0
sigma proc_creation_win_susp_tscon_rdp_redirect.yml title: Suspicious RDP Redirect Using TSCON DRL 1.0
sigma proc_creation_win_susp_tscon_rdp_redirect.yml description: Detects a suspicious RDP session redirect using tscon.exe DRL 1.0
atomic-red-team T1563.002.md Adversaries may perform RDP session hijacking which involves stealing a legitimate user’s remote session. Typically, a user is notified when someone else is trying to steal their session. With System permissions and using Terminal Services Console, c:\windows\system32\tscon.exe [session number to be stolen], an adversary can hijack a session without the need for credentials or prompts to the user.(Citation: RDP Hijacking Korznikov) This can be done remotely or locally and with active or disconnected sessions.(Citation: RDP Hijacking Medium) It can also lead to Remote System Discovery and Privilege Escalation by stealing a Domain Admin or higher privileged account session. All of this can be done by using native Windows commands, but it has also been added as a feature in red teaming tools.(Citation: Kali Redsnarf)</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1563.002.md sc.exe create sesshijack binpath= “cmd.exe /k tscon #{Session_ID} /dest:#{Destination_ID}” MIT License. © 2018 Red Canary

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


tscon

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Connects to another session on a Remote Desktop Session Host server.

[!IMPORTANT] You must have Full Control access permission or Connect special access permission to connect to another session.

[!NOTE] To find out what’s new in the latest version, see What’s New in Remote Desktop Services in Windows Server.

Syntax

tscon {<sessionID> | <sessionname>} [/dest:<sessionname>] [/password:<pw> | /password:*] [/v]

Parameters

Parameter Description
<sessionID> Specifies the ID of the session to which you want to connect. If you use the optional /dest:<sessionname> parameter, you can also specify the name of the current session.
<sessionname> Specifies the name of the session to which you want to connect.
/dest:<sessionname> Specifies the name of the current session. This session will disconnect when you connect to the new session. You can also use this parameter to connect the session of another user to a different session.
/password:<pw> Specifies the password of the user who owns the session to which you want to connect. This password is required when the connecting user does not own the session.
/password:* Prompts for the password of the user who owns the session to which you want to connect.
/v Displays information about the actions being performed.
/? Displays help at the command prompt.
Remarks
  • This command fails if you don’t specify a password in the /password parameter, and the target session belongs to a user other than the current one.

  • You can’t connect to the console session.

Examples

To connect to Session 12 on the current Remote Desktop Services Session Host server, and to disconnect the current session, type:

tscon 12

To connect to Session 23 on the current Remote Desktop Services Session Host server using the password mypass, and to disconnect the current session, type:

tscon 23 /password:mypass

To connect the session named TERM03 to the session named TERM05, and then to disconnect session TERM05, type:

tscon TERM03 /v /dest:TERM05

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.