Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Medium |
Description
The executable tscon.exe can be used to hijack other sessions on the same computer. The attacker may use another user's credentials to proceed with the lateral movement or disguise the activity.
Attacker's Goals
Attackers might hijack existing sessions on the same host to gain access to private data or leverage the logged-in user credentials to laterally move across the network.
Investigative actions
- Verify if the executing process is suspicious.
- Investigate if the interactive user did any more suspicious or malicious actions.