tscon.exe

• File Path: C:\WINDOWS\system32\tscon.exe
• Description: Session Connection Utility

Hashes

Type	Hash
MD5	E27C2EB8099580F84AF0330A284BF6D5
SHA1	D60F7C80444CE4269DF09B1B0C1D635EF70243C9
SHA256	C312D4D59166C44D0ADFF0DD6A382B33C23DB0E45D11F66FB4262CD055A474E9
SHA384	FB02F2B22C19CFC3118F3A97540E99F741F8AABF17EC32DF2EA39B5FAAAD4B1366786117B45CB312586EE898DF99B1E1
SHA512	3DAAA3396C807B32F02067CD33069B9BD8217047C6E09791F68C0C5035E814243E6AE142D9A62938EC14199A5D2E010F6CDAEE6E3171C865C85F86BA5AB811CE
SSDEEP	384:IWdd0KN1wh/3x2mEK/QNjAmshYSmly0rhzc2Z5KZ6Nz9mVZdW8ZdmRoSaP1Q8rWq:ItSwh/hMKsijmlDFzJwZY9mDdRdPG8Z
IMP	24472C36A35ED9C96546FC249317D860
PESHA1	A4087D475FE7D601E05DF6E0EECCBAF3E8CE9E38
PE256	4CD93320E0BDE01F6C70C8C5F0327ED332AF7E9087E43E745522AFAD2AC3F012

Runtime Data

Usage (stdout):

Attaches a user session to a remote desktop session.

TSCON {sessionid | sessionname} [/DEST:sessionname]
        [/PASSWORD:pw | /PASSWORD:*] [/V]

  sessionid          The ID of the session.
  sessionname        The name of the session.
  /DEST:sessionname  Connect the session to destination sessionname.
  /PASSWORD:pw       Password of user owning identified session.
  /V                 Displays information about the actions performed.

Usage (stderr):

Invalid parameter(s)
Attaches a user session to a remote desktop session.

TSCON {sessionid | sessionname} [/DEST:sessionname]
        [/PASSWORD:pw | /PASSWORD:*] [/V]

  sessionid          The ID of the session.
  sessionname        The name of the session.
  /DEST:sessionname  Connect the session to destination sessionname.
  /PASSWORD:pw       Password of user owning identified session.
  /V                 Displays information about the actions performed.

Loaded Modules:

Path
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\system32\tscon.exe

Signature

• Status: Signature verified.
• Serial: 33000002ED2C45E4C145CF48440000000002ED
• Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
• Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
• Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

• Original Filename: tscon.exe.mui
• Product Name: Microsoft Windows Operating System
• Company Name: Microsoft Corporation
• File Version: 10.0.22000.1 (WinBuild.160101.0800)
• Product Version: 10.0.22000.1
• Language: English (United States)
• Legal Copyright: Microsoft Corporation. All rights reserved.
• Machine Type: 64-bit

File Scan

• VirusTotal Detections: 0/73
• VirusTotal Link: https://www.virustotal.com/gui/file/c312d4d59166c44d0adff0dd6a382b33c23db0e45d11f66fb4262cd055a474e9/detection

Possible Misuse

The following table contains possible examples of tscon.exe being misused. While tscon.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	proc_creation_win_susp_tscon_localsystem.yml	title: Suspicious TSCON Start as SYSTEM	DRL 1.0
sigma	proc_creation_win_susp_tscon_localsystem.yml	description: Detects a tscon.exe start as LOCAL SYSTEM	DRL 1.0
sigma	proc_creation_win_susp_tscon_localsystem.yml	Image\|endswith: '\tscon.exe'	DRL 1.0
sigma	proc_creation_win_susp_tscon_rdp_redirect.yml	title: Suspicious RDP Redirect Using TSCON	DRL 1.0
sigma	proc_creation_win_susp_tscon_rdp_redirect.yml	description: Detects a suspicious RDP session redirect using tscon.exe	DRL 1.0
atomic-red-team	T1563.002.md	Adversaries may perform RDP session hijacking which involves stealing a legitimate user’s remote session. Typically, a user is notified when someone else is trying to steal their session. With System permissions and using Terminal Services Console, c:\windows\system32\tscon.exe [session number to be stolen], an adversary can hijack a session without the need for credentials or prompts to the user.(Citation: RDP Hijacking Korznikov) This can be done remotely or locally and with active or disconnected sessions.(Citation: RDP Hijacking Medium) It can also lead to Remote System Discovery and Privilege Escalation by stealing a Domain Admin or higher privileged account session. All of this can be done by using native Windows commands, but it has also been added as a feature in red teaming tools.(Citation: Kali Redsnarf)</blockquote>	MIT License. © 2018 Red Canary
atomic-red-team	T1563.002.md	sc.exe create sesshijack binpath= “cmd.exe /k tscon #{Session_ID} /dest:#{Destination_ID}”	MIT License. © 2018 Red Canary

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.

---

tscon

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Connects to another session on a Remote Desktop Session Host server.

[!IMPORTANT] You must have Full Control access permission or Connect special access permission to connect to another session.

[!NOTE] To find out what’s new in the latest version, see What’s New in Remote Desktop Services in Windows Server.

Syntax

tscon {<sessionID> | <sessionname>} [/dest:<sessionname>] [/password:<pw> | /password:*] [/v]

Parameters

Parameter	Description
<sessionID>	Specifies the ID of the session to which you want to connect. If you use the optional /dest:<sessionname> parameter, you can also specify the name of the current session.
<sessionname>	Specifies the name of the session to which you want to connect.
/dest:<sessionname>	Specifies the name of the current session. This session will disconnect when you connect to the new session. You can also use this parameter to connect the session of another user to a different session.
/password:<pw>	Specifies the password of the user who owns the session to which you want to connect. This password is required when the connecting user does not own the session.
/password:*	Prompts for the password of the user who owns the session to which you want to connect.
/v	Displays information about the actions being performed.
/?	Displays help at the command prompt.

Remarks

• This command fails if you don’t specify a password in the /password parameter, and the target session belongs to a user other than the current one.

• You can’t connect to the console session.

Examples

To connect to Session 12 on the current Remote Desktop Services Session Host server, and to disconnect the current session, type:

tscon 12

To connect to Session 23 on the current Remote Desktop Services Session Host server using the password mypass, and to disconnect the current session, type:

tscon 23 /password:mypass

To connect the session named TERM03 to the session named TERM05, and then to disconnect session TERM05, type:

tscon TERM03 /v /dest:TERM05

Additional References

• Command-Line Syntax Key

• Remote Desktop Services (Terminal Services) Command Reference

---

MIT License. Copyright (c) 2020-2021 Strontic.