Lateral Movement · Term

What is RDP session hijacking?

RDP session hijacking lets a SYSTEM-level attacker connect to another user’s existing remote-desktop session without their password. If an admin is logged in, the attacker becomes that admin. Here is how it works.

Lateral Movement · TermAll services
TL;DR

RDP session hijacking is taking over another user’s existing Remote Desktop session without knowing their password. With SYSTEM privileges on a machine, an attacker can use the built-in tscon command to connect a target’s disconnected or active session to their own, instantly acting as that user. If a Domain Admin has a lingering session on the host, this is a direct path to their privileges. It abuses a legitimate Windows feature, so the defence is operational: avoid leaving privileged sessions on shared hosts.

By John Dill, Red Team Lead, SecureLayer7Updated

What RDP session hijacking is

Windows lets multiple user sessions exist on a machine (active or disconnected). The built-in `tscon` utility can connect one session to another terminal.

When run as SYSTEM, tscon does not require the target session’s password, it simply attaches that session to the attacker’s. So an attacker who has SYSTEM on a server with other users’ RDP sessions can resume any of them as that user, including an administrator who disconnected without logging off.

The abuse and payload

With SYSTEM on the host, the attacker lists sessions and hijacks one:

  • List sessions: query user or query session (shows session IDs and users).
  • As SYSTEM, attach a target session to the current one: tscon <target-session-id> /dest:<your-session-name>
  • A common path runs it via a SYSTEM service: sc create hijack binpath= "cmd /k tscon <id> /dest:rdp-tcp#<n>" && sc start hijack

The attacker now controls the victim’s desktop session as that user. Documented technique shown for defenders.

How to defend

  • Log off, do not just disconnect, privileged RDP sessions, and set policies to end disconnected sessions quickly.
  • Keep Domain Admins off shared or member servers so their sessions are never sitting there to hijack.
  • Limit who can gain SYSTEM on hosts (the prerequisite for the attack).
  • Apply tiered administration so high-value sessions only exist on protected admin workstations.
  • Monitor for tscon usage and session-connect events from service or SYSTEM contexts.

References

  1. [1]MITRE ATT&CK: Lateral Movement (TA0008)(MITRE)
  2. [2]Microsoft: Remote Desktop Services(Microsoft)
  3. [3]NIST SP 800-115 Technical Guide to Security Testing(NIST)
Related terms

Common questions

Lateral movement, asked often

Want your network tested for these paths?

Scope an engagement

Find the lateral-movement paths before an attacker does.

We run internal and network penetration tests that follow the real route from one compromised host across your network, then hand your team a report with reproducible evidence and a fix for every step. Free re-test included.

See all services30-min scoping call, fixed-price proposal in 48 hours.