mstsc.exeREMOTE ACCESSmstsc.exe - Remote Desktop Client Security Analysis
mstsc.exe is the Microsoft Remote Desktop Connection client for RDP sessions. It is heavily used by attackers for lateral movement after gaining credentials. RDP is one of the most common attack vectors for ransomware deployment and post-exploitation. Unexpected mstsc.exe usage is a strong indicator of compromise.
Risk Summary
HIGH priority for SOC triage. mstsc.exe is the RDP client and a primary lateral movement tool. Monitor for unexpected RDP connections, connections to unusual destinations, and mstsc.exe spawned from suspicious parents. RDP is a top ransomware vector.
Overview
What is mstsc.exe?
mstsc.exe (Microsoft Terminal Services Client) is the RDP client.
Core Functions
Remote Desktop:
- Connect to RDP servers
- Remote administration
- File transfer via clipboard
- Remote application access
Security Significance
- Lateral Movement: Top attack vector
- Ransomware Favorite: Initial access + spread
- Credential Risk: Pass-the-hash capable
- Persistence: Saved credentials
Normal Behavior
Normal Behavior
Expected Process State
| Property | Expected Value |
|---|---|
| Path | C:\Windows\System32\mstsc.exe |
| Parent | explorer.exe (user launch) |
| User | Logged-in user |
| Network | Port 3389 to known servers |
Command Line Examples
mstsc.exe
mstsc.exe /v:server.domain.com
mstsc.exe connection.rdp
Common Locations
C:\Windows\System32\mstsc.exeSuspicious Indicators
Legitimate vs Suspicious
LEGITIMATE
Parent: explorer.exe
Destination: Known corporate servers
User: IT administrators
Time: Business hours
SUSPICIOUS
Parent: cmd.exe, powershell.exe
Destination: Unknown/external IPs
User: Non-admin accounts
Time: After hours
Context: After credential theft
Rapid multiple connections
High-Risk Patterns
| Pattern | Risk |
|---|---|
| mstsc.exe from script | HIGH |
| External IP destination | CRITICAL |
| Multiple rapid connections | CRITICAL |
| Non-IT user initiating | HIGH |
Abuse Techniques
Attack Techniques
Technique #1: Lateral Movement via RDP (T1021.001)
Using Stolen Credentials:
mstsc.exe /v:192.168.1.100
:: Enter stolen credentials
Technique #2: RDP Hijacking (T1563.002)
Hijacking disconnected RDP sessions:
tscon <SessionID> /dest:rdp-tcp#0
Technique #3: Restricted Admin Mode Abuse
mstsc.exe /restrictedAdmin /v:target
:: Pass-the-hash without plaintext password
Technique #4: RDP for Persistence
Enabling RDP for future access:
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0
Detection Guidance
Detection Strategies
Priority #1: Unusual RDP Source
Process = "mstsc.exe" AND
Parent NOT IN ["explorer.exe"]
→ ALERT: HIGH - Scripted RDP
Priority #2: External Destinations
Process = "mstsc.exe" AND
DestinationIP = "External"
→ ALERT: CRITICAL - External RDP
Priority #3: Rapid Connections
mstsc.exe connections > 5 within 10 minutes
→ ALERT: CRITICAL - Lateral movement spray
Priority #4: Event Log Analysis
Event ID 4624 + LogonType 10 (RDP)
Event ID 1149 (RDP Success)
PowerShell Detection:
Get-WinEvent -FilterHashtable @{LogName='Security';Id=4624} | Where-Object {
$_.Properties[8].Value -eq 10
} | Select-Object TimeCreated, @{N='User';E={$_.Properties[5].Value}}, @{N='SourceIP';E={$_.Properties[18].Value}}
Remediation Steps
Protection and Remediation
Defense: Network Level Authentication
Require NLA for RDP connections.
Defense: Restrict RDP Access
Limit RDP to jump servers and specific IPs.
Defense: Multi-Factor Authentication
Implement MFA for RDP access.
If Compromise Suspected
- Review RDP event logs
- Check for lateral movement
- Identify compromised credentials
- Reset affected passwords
- Review connected systems
- Enable NLA and MFA
Investigation Checklist
Investigation Checklist
- Review mstsc.exe parent process
- Check destination IPs/hostnames
- Review Event ID 4624 (LogonType 10)
- Check for multiple rapid connections
- Identify user context
- Review for unusual hours
- Check for Restricted Admin usage
- Correlate with credential theft