mstsc.exeREMOTE ACCESSmstsc.exe - Remote Desktop Client Security Analysis
mstsc.exe is the **Microsoft Remote Desktop Connection** client for RDP sessions. It is heavily used by attackers for **lateral movement** after gaining credentials. RDP is one of the **most common attack vectors** for ransomware deployment and post-exploitation. Unexpected mstsc.exe usage is a strong indicator of compromise.
Risk Summary
HIGH priority for SOC triage. mstsc.exe is the RDP client and a primary lateral movement tool. Monitor for unexpected RDP connections, connections to unusual destinations, and mstsc.exe spawned from suspicious parents. RDP is a top ransomware vector.
Overview
What is mstsc.exe?
mstsc.exe (Microsoft Terminal Services Client) is the RDP client.
Core Functions
Remote Desktop:
- Connect to RDP servers
- Remote administration
- File transfer via clipboard
- Remote application access
Security Significance
- Lateral Movement: Top attack vector
- Ransomware Favorite: Initial access + spread
- Credential Risk: Pass-the-hash capable
- Persistence: Saved credentials
Normal Behavior
Normal Behavior
Expected Process State
| Property | Expected Value |
|---|---|
| Path | C:\Windows\System32\mstsc.exe |
| Parent | explorer.exe (user launch) |
| User | Logged-in user |
| Network | Port 3389 to known servers |
Command Line Examples
mstsc.exe
mstsc.exe /v:server.domain.com
mstsc.exe connection.rdp
Common Locations
C:\Windows\System32\mstsc.exeSuspicious Indicators
Legitimate vs Suspicious
LEGITIMATE
Parent: explorer.exe
Destination: Known corporate servers
User: IT administrators
Time: Business hours
SUSPICIOUS
Parent: cmd.exe, powershell.exe
Destination: Unknown/external IPs
User: Non-admin accounts
Time: After hours
Context: After credential theft
Rapid multiple connections
High-Risk Patterns
| Pattern | Risk |
|---|---|
| mstsc.exe from script | HIGH |
| External IP destination | CRITICAL |
| Multiple rapid connections | CRITICAL |
| Non-IT user initiating | HIGH |
Abuse Techniques
Attack Techniques
Technique #1: Lateral Movement via RDP (T1021.001)
Using Stolen Credentials:
mstsc.exe /v:192.168.1.100
:: Enter stolen credentials
Technique #2: RDP Hijacking (T1563.002)
Hijacking disconnected RDP sessions:
tscon <SessionID> /dest:rdp-tcp#0
Technique #3: Restricted Admin Mode Abuse
mstsc.exe /restrictedAdmin /v:target
:: Pass-the-hash without plaintext password
Technique #4: RDP for Persistence
Enabling RDP for future access:
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0
Detection Guidance
Detection Strategies
Priority #1: Unusual RDP Source
Process = "mstsc.exe" AND
Parent NOT IN ["explorer.exe"]
→ ALERT: HIGH - Scripted RDP
Priority #2: External Destinations
Process = "mstsc.exe" AND
DestinationIP = "External"
→ ALERT: CRITICAL - External RDP
Priority #3: Rapid Connections
mstsc.exe connections > 5 within 10 minutes
→ ALERT: CRITICAL - Lateral movement spray
Priority #4: Event Log Analysis
Event ID 4624 + LogonType 10 (RDP)
Event ID 1149 (RDP Success)
PowerShell Detection:
Get-WinEvent -FilterHashtable @{LogName='Security';Id=4624} | Where-Object {
$_.Properties[8].Value -eq 10
} | Select-Object TimeCreated, @{N='User';E={$_.Properties[5].Value}}, @{N='SourceIP';E={$_.Properties[18].Value}}
Remediation Steps
Protection and Remediation
Defense: Network Level Authentication
Require NLA for RDP connections.
Defense: Restrict RDP Access
Limit RDP to jump servers and specific IPs.
Defense: Multi-Factor Authentication
Implement MFA for RDP access.
If Compromise Suspected
- Review RDP event logs
- Check for lateral movement
- Identify compromised credentials
- Reset affected passwords
- Review connected systems
- Enable NLA and MFA
Investigation Checklist
Investigation Checklist
- Review mstsc.exe parent process
- Check destination IPs/hostnames
- Review Event ID 4624 (LogonType 10)
- Check for multiple rapid connections
- Identify user context
- Review for unusual hours
- Check for Restricted Admin usage
- Correlate with credential theft