The Remote Desktop Protocol (RDP) helps administrators manage Windows systems and support users with problems. However, RDP is also very popular with criminal hackers: the RDP hijack attack technique allows them, as supposedly legitimate users, to access and control IT systems.

Since remote management and management, as enabled by RDP for Windows devices, has become significantly more important for businesses across all industries in the wake of the coronavirus crisis, the risk of falling victim to RDP hijacking attacks is increasing. Quite apart from the current developments: precisely because in most corporate networks Windows and Windows server systems are interconnected and administrators use RDP, it is essential to be aware of the associated risks.

Learn how the RDP compromise works and how you can protect yourself against it.

RDP hijacking is not a particularly new phenomenon. Rather, it is a technology that has been around for a few years and is often not based on common exploits of vulnerabilities – such as phishing – but rather uses fully legitimate functions of the RDP service under Windows.

With RDP hijacking, an attacker resumes a previously terminated RDP connection. This gives him access to privileged systems without stealing the associated credentials. For example, if an administrator configured a Windows server via RDP a few days ago, it would be much easier for an attacker to “resume” this session than to attempt to recover the administrator’s password through social engineering.

Once in the system, the attacker can move sideways through the corporate network and go unnoticed – after all, monitoring software is dealing with a supposedly authorized user.

There are several ways to continue an RDP session. The procedure was originally discovered in 2011 by Benjamin Delpy, developer of the pentest tool mimikatz. In 2017, security specialist Alexander Korznikov demonstrated how the same approach can be used for escalation attacks on Windows systems.

Hijack without password

In this article, we focus on the RDP hijack method, which is Windows’ default tool tscon.exe uses. The tool allows users to switch to a new remote desktop session or switch back and forth between different sessions.

The syntax of the command is simple – the Microsoft Knowledge Base provides information about what the individual parameters mean:

tscon {<SessionID> | <SessionName>} [/dest:<SessionName>] [/password:<pw> | /password:*] [/v]

The simplest example would be: tscon 2: This command – executed on a host server – would connect the user with session ID 2 and cut all existing connections. Microsoft itself warns, however, “You should be careful when using Tscon.exe not to accidentally leave a previously inaccessible server open.”

To hijack someone else’s remote desktop session, the attacker must be connected to the RDP host. To achieve this, “preparatory work” is needed: if the hacker is not an insider, he needs the correct access data. This type of hacker attack is particularly dangerous as it is a regular part of APT attacks.