Sharp RDP Hijack is a proof-of-concept .NET/C# Remote Desktop Protocol (RDP) session hijack utility for disconnected sessions
RDP session hijacking is a post-exploitation technique for taking control of (forcefully) disconnected interactive login sessions. The technique is described in Mitre ATT&CK T1563 - Remote Service Session Hijacking: RDP Hijacking.
- SharpRDPHijack.cs compiles in Visual Studio 2019 under .NET Framework v.4.
- TS/ RDP Session query may require privileges depending on the target machine.
- Session hijacking requires an elevated (administrator) context to connect to another session.
- NT AUTHORITY\SYSTEM context is required to take control of a session unless a target session user's password is known. Without a supplied password, SharpRDPHijack will (attempt to) impersonate NT AUTHORITY\SYSTEM.
- Windows 2019 Server session hijacking exhibits interesting behavior vs prior OS versions. Upon hijacking a session that is redirected to an active RDP session, the Windows login screen prompts for the user's password/credential. If redirected to the console session, this redirection is successful and seamless. This presents an interesting research opportunity (IMO).
- Several folks have inquired about the function/necessity of this utility when you can do the same thing with tscon.exe or Mimikatz TS. The goal of writing this POC was to gain a better understanding of what was happening at the Win32 API level (more specifically - Wtsapi32) and to have a simpler option for connecting to other sessions (preferably in C#). In this implementation, the two functions/methods that do the heavy lifting are WTSConnectSession and WTSDisconnectSession.
- Potentially, there is an advantage such that this utility could evade specific detection analytics for tscon.exe + supporting command usage. Defensive guidance in the linked resources page are useful for addressing abuse of this technique (e.g. logging off disconnected sessions after a timeout period in Group Policy) as well as implementing domain admin login resiliency best practices to minimize domain exposure where non-DA accounts have admin rights on machines also used by DAs.
[*] Parameters:
--tsquery=<host> : Query a host to identify RDP/TS session information (not required for other switches)
--session=<ID> : Target session identifier
--password=<User's Password> : Session password if known (otherwise optional - not required for disconnect switch)
--console : Redirect session to console session instead of current (active) session
--disconnect : Disconnect an active (remote) session
[*] Example Usage 1: Impersonate NT AUTHORITY\SYSTEM to hijack session #6 and redirect to the current session
SharpRDPHijack.exe --session=6
[*] Example Usage 2: Impersonate NT AUTHORITY\SYSTEM to hijack session #2 and redirect to the console session
SharpRDPHijack.exe --session=2 --console
[*] Example Usage 3: Hijack Remote Desktop session #4 with knowledge of the logged-on user's password
SharpRDPHijack.exe --session=4 --password=P@ssw0rd
[*] Example Usage 4: Disconnect active session #3
SharpRDPHijack.exe --session=3 --disconnect
[*] Example Usage 5: Query the local host for RDP/TS session information
SharpRDPHijack.exe --tsquery=localhost
- Clean up session validation
Sharp RDP Hijack is designed to help security professionals perform ethical and legal security assessments and penetration tests. Do not use for nefarious purposes.