Process

unknown

mstsc.exe

mstsc.exe is the Remote Desktop Connection client, the program that opens an RDP session to another computer. Administrators and users use it to reach remote machines. Attackers use it to move laterally with stolen credentials, and it leaves useful traces of where an operator went.

CategoryUtilityTagsmicrosoftcore-windows

File identity

File details

Not observed.

Signing information

Not observed.

File version0

Not observed.

File size0

Not observed.

Execution context

File paths0

Not observed.

User context0

Not observed.

Integrity level0

Not observed.

Instances0

Not observed.

Session0

Not observed.

Token privileges0

Not observed.

Ancestry

Parents0

Not observed.

Children0

Not observed.

Grandparents0

Not observed.

Grandchildren0

Not observed.

Behavior

Loaded modules0

Not observed.

Named pipes0

Not observed.

Process handles0

Not observed.

Command-line patterns0

Not observed.

Indicators

Hashes

Not observed.

Analysis

About this process

mstsc.exe connects to a remote computer over the Remote Desktop Protocol (RDP). It takes a target with /v:<host>, can open a saved .rdp connection file, and supports options for gateways, restricted-admin mode, and session shadowing. The genuine binary lives at C:\Windows\System32\mstsc.exe. It records connection history per user, which is a useful artifact when reconstructing movement.

Legitimately, mstsc is run by administrators and remote workers to reach servers and desktops. Where it connects, under whose account, and from what parent are what give an instance meaning.

Security notes

mstsc.exe is the everyday tool for RDP lateral movement (T1021.001). After stealing credentials, an attacker uses Remote Desktop to log in to other machines interactively, blending with normal administration. The patterns that stand out are RDP fanning out to many hosts quickly, RDP initiated from a server or service context that has no reason to, and connections driven by a script rather than a person.

mstsc is also an artifact source. Its per-user connection history and the corresponding logon events on the targets help reconstruct an operator's path through the network. Because the tool itself is legitimate, the destinations, the account, and the origin are what distinguish administration from intrusion.

Anomaly signals5
  • Image path other than C:\Windows\System32\mstsc.exehigh
  • Connections to many internal hosts in a short time (RDP spread)high
  • Launched by a script host or a non-interactive processhigh
  • Connections originating from a server or a service account that should not initiate RDPmed
  • A .rdp file from a user-writable or emailed locationmed

Telemetry

OS prevalence0

Not observed.

Observation timeline

Not observed.

References

Subsearch

Hasbeen seen inof mstsc.exe?
Edit this page on GitHub