Living off the Land (LotL) - RDP Hijacking | Intel 471 Skip to content

Living off the Land (LotL) - RDP Hijacking

Mar 23, 2021
Homepage Hero
In this instalment of Cyborg Security's latest series "Living off the Land," we will cover the topic of RDP hijacking. Specifically, we will look at the use of Tscon.exe in RDP hijacking. We'll also dive into how adversaries do this, and why it is important. We will also examine how to detect this activity.

No one would argue that Remote Desktop Services isn't a time saving feature in a Windows environment. With a few keystrokes, a user can log into a system remotely and access the system as if they were sitting in front of it. But, RDS also has another time saving feature that allows a user to connect to another user's session. It is this capability that allows adversaries to impersonate users and perform RDP hijacking. It bears mentioning that when an adversary conducts RDP hijacking, they do not only gain access to the account. Instead, when a session is taken control of, the controlling user also gains the privileges associated with the session. This makes RDP hijacking particular useful for lateral movement and privilege escalation. This technique can also enable an attacker to establish persistence.
This RDP hijacking technique takes advantage of the Windows native binary Tscon.exe. Tscon.exe allows the session owner, and other users, to take control of otherwise inactive sessions. But, if a user attempts to do this, they must enter a password. This password is the user's local or network credentials associated with the session. Now, this type of check would typically prevent unauthorized access to a session. But, there exist certain conditions where this requirements can be bypassed. The power of this technique is tremendous if used on an already compromised system. If an adversary manages to gain SYSTEM level authority on a compromised system, they are now able to hijack any inactive session on the system. Also, if the adverdary has scraped or accessed credentials, they are now able to move laterally throughout the environment. In order for an actor to successfully perform RDP hijacking, through exploitation of Tscon, first a service needs to be created. It should be noted that the command being executed by itself will not accomplish the objective.



Process Create:

EventCode=4688 (WinEventLog) OR EventCode=1 (Sysmon) "*tscon*" AND "*dest*" AND ("*rdp-tcp*" OR "console*")

Service created:

EventCode=7045 (WinEventLog) "*tscon*" AND "*dest*" AND ("*rdp-tcp*" OR "console*")

Registry key modification:

EventCode=13 (Sysmon) *tscon*" AND "*dest*" AND ("*rdp-tcp*" OR "console*")

Haven't seen part one of this series? Catch up and watch the video here.

[hubspot type=cta portal=7924572 id=ae832f8f-83db-4b26-8f4d-f37f258623e2]