{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/tsclient/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft Defender XDR","Elastic Defend"],"_cs_severities":["high"],"_cs_tags":["lateral-movement","execution","rdp","tsclient","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThis detection rule identifies the execution of processes originating from the \u003ccode\u003etsclient\u003c/code\u003e mount point in Windows environments. The \u003ccode\u003etsclient\u003c/code\u003e directory is used by Remote Desktop Protocol (RDP) to share local resources, such as drives, from the client machine with the remote host. Attackers can leverage this shared mount point to transfer and execute malicious payloads on the target system, thereby achieving lateral movement within the network. Successful exploitation may lead to unauthorized access to sensitive data and systems, further compromising the organization\u0026rsquo;s security posture. This behavior is detected via process monitoring on the endpoint and analysis of the process executable path. The rule aims to detect post-exploitation activity, not initial access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a user\u0026rsquo;s machine, possibly through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes an RDP session to a target host within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker copies a malicious executable to a drive shared via RDP\u0026rsquo;s \u003ccode\u003etsclient\u003c/code\u003e mountpoint.\u003c/li\u003e\n\u003cli\u003eOn the target host, the attacker navigates to the \u003ccode\u003e\\\\Device\\\\Mup\\\\tsclient\u003c/code\u003e directory, representing the shared drive.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the malicious executable from the \u003ccode\u003etsclient\u003c/code\u003e directory. This execution could be triggered via command line, script, or other execution mechanisms.\u003c/li\u003e\n\u003cli\u003eThe malicious executable performs actions such as reconnaissance, privilege escalation, or lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker utilizes the compromised host to pivot and compromise other systems within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objectives, such as data exfiltration, ransomware deployment, or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code on the target system, potentially leading to complete system compromise. This can result in data theft, system disruption, or further lateral movement within the network. The number of victims and sectors targeted depends on the attacker\u0026rsquo;s objectives and the scope of the compromised environment. The rule detects potential lateral movement attempts and unauthorized code execution, which could lead to severe data breaches and financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule provided to your SIEM to detect execution from the TSClient mountpoint and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with full command line auditing (e.g., via Sysmon) to ensure the rule has the necessary data to function (Data Source: Sysmon, Windows Security Event Logs).\u003c/li\u003e\n\u003cli\u003eInvestigate and validate any alerts generated by the Sigma rule to determine if the execution from the TSClient mountpoint is legitimate or malicious (Sigma Rule).\u003c/li\u003e\n\u003cli\u003eConsider restricting RDP access and disabling drive redirection where possible to minimize the attack surface (Overview).\u003c/li\u003e\n\u003cli\u003eImplement application control policies to prevent the execution of unauthorized executables from the TSClient mountpoint (Overview).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T17:46:40Z","date_published":"2026-05-12T17:46:40Z","id":"https://feed.craftedsignal.io/briefs/2026-05-execution-from-tsclient-mup/","summary":"The rule detects execution of processes from the Remote Desktop Protocol (RDP) shared mountpoint tsclient on Windows hosts, which may indicate a lateral movement attempt.","title":"Execution via TSClient Mountpoint","url":"https://feed.craftedsignal.io/briefs/2026-05-execution-from-tsclient-mup/"}],"language":"en","title":"CraftedSignal Threat Feed — Tsclient","version":"https://jsonfeed.org/version/1.1"}