hijacking of remote desktop connections ➔ With this technique you can, ◆ You can connect to ANY disconnected sessions ◆ It unlocks ANY locked user sessions ◆ It works for the physical console ◆ It works remotely ➔ Requires no external tools like Mimikatz, Meterpreter etc.
session to access sensitive systems in an organization ➔ Hijack help desk RDP connections as they more privileged ➔ Hijack RDP sessions of privileged users such a Domain admins ➔ Hijack ANY user RDP session ➔ Use hijacked sessions to move laterally across the enterprise ➔ Etc. Etc.
2. Create service which will hijack user's session: C:\Windows\system32>sc create sesshijack binpath= "cmd.exe /k tscon <ID> /dest:<sessions_name>" 3. Start service: net start sesshijack 4. Right after that your session will be replaced with target session
either immediately or soon after the user disconnects. ➢ Set up process monitoring for tscon.exe usage and monitor service creation that uses cmd.exe /k or cmd.exe /c in its arguments to prevent RDP session hijacking. ➢ Also, note how event_data.LogonID and event_ids 4778 (logon) and 4779 (logoff) events can be used to ﬁgure out which desktop sessions got disconnected/reconnected