RDP Session Hijacking
Intro
RDP hijacking attacks involve the attacker βresumingβ a previously disconnected RDP session (without a proper logout). This allows the attacker to get into a privileged system without having to steal the userβs credentials. For example, if an administrator remoted into a Windows Server machine a few days ago, it is much easier for the attacker to βresumeβ this very session, rather than attempting to obtain the administrator accountβs password.
Connecting to a workstation with Remote Desktop will disconnect any existing session. The /admin flag allows us to connect to the admin session, which does not disconnect the current user if we perform the login with the same user.
Passwordless hijacking
Letβs focus on the RDP hijacking technique leveraging the Tscon.exe utility, which comes with Windows. It enables a user to connect to a different remote desktop session on a system or switch between different sessions.
The syntax for the command is simple:
The simplest example would be tscon 2.
Running such a command on a server hosting the remote desktop session would connect the user to session with ID 2 and disconnect any existing sessions they are on.
to resume a previously disconnected RDP session an attacker with system-level access can setup a service with this syntax:
This will disconnect the current session of the attacker and βresumeβ the previously disconnected session between the attacker and the RDP server without asking for a password or leaving much of a forensic trace.
restricted admin mode
Since clear text credentials are required for all interactive logins, Microsoft introduced RDP with restricted admin mode which allows system administrators to perform a network login with RDP In an attempt to prevent attackers from stealing credentials on a compromised server.
A network login does not require clear text credentials and will not store them in memory, essentially disabling single sign-on. This type of login is commonly used by service accounts.
We can use restricted admin mode by supplying the /restrictedadmin argument to mstsc.exe. When we supply this argument, the current login session is used to authenticate the session :
Pass-the-Hash with mstsc.exe
Restricted admin mode is disabled by default but the setting can be controlled through the DisableRestrictedAdmin registry entry at the following path:
While restricted admin mode protects against credential theft on the target, when enabled, it is possible to pass the hash when doing lateral movement with mstsc.
to disable restricted admin mode, run this as admin:
to enable it, first run a local powershell session as admin user:
and enable restricted admin mode:
Mitigation
Due to the nature of RDP protocol and the behavior exploited by this technique, monitoring for an RDP hijacking attack is difficult because, to forensic tools, the activity looks as if a legitimate, authorized remote user was accessing the system.
Enforce Group Policy: Instead of leaving βdisconnectedβ remote desktop sessions in dormant state for long, Group Policy settings should be changed to log off users either instantly or shortly after they have disconnected an RDP session. This will prevent an attacker from simply βresumingβ a session in a credential-less manner.
Last updated