Detect tscon execution from event logs
Is it possible to determine whether someone has hijacked a RDP session with tscon?
I tried to look into TerminalService-LocalSessionManager logs, the EventID 25 looks much like it, but a normal reconnect would create the same log entry.
An… Continue reading Detect tscon execution from event logs