Awesome
SharpRDPHijack
Sharp RDP Hijack is a proof-of-concept .NET/C# Remote Desktop Protocol (RDP) session hijack utility for disconnected sessions
Background
RDP session hijacking is a post-exploitation technique for taking control of (forcefully) disconnected interactive login sessions. The technique is described in Mitre ATT&CK T1563 - Remote Service Session Hijacking: RDP Hijacking.
Notes
- SharpRDPHijack.cs compiles in Visual Studio 2019 under .NET Framework v.4.
- TS/ RDP Session query may require privileges depending on the target machine.
- Session hijacking requires an elevated (administrator) context to connect to another session.
- NT AUTHORITY\SYSTEM context is required to take control of a session unless a target session user's password is known. Without a supplied password, SharpRDPHijack will (attempt to) impersonate NT AUTHORITY\SYSTEM.
- Windows 2019 Server session hijacking exhibits interesting behavior vs prior OS versions. Upon hijacking a session that is redirected to an active RDP session, the Windows login screen prompts for the user's password/credential. If redirected to the console session, this redirection is successful and seamless. This presents an interesting research opportunity (IMO).
- Several folks have inquired about the function/necessity of this utility when you can do the same thing with tscon.exe or Mimikatz TS. The goal of writing this POC was to gain a better understanding of what was happening at the Win32 API level (more specifically - Wtsapi32) and to have a simpler option for connecting to other sessions (preferably in C#). In this implementation, the two functions/methods that do the heavy lifting are WTSConnectSession and WTSDisconnectSession.
- Potentially, there is an advantage such that this utility could evade specific detection analytics for tscon.exe + supporting command usage. Defensive guidance in the linked resources page are useful for addressing abuse of this technique (e.g. logging off disconnected sessions after a timeout period in Group Policy) as well as implementing domain admin login resiliency best practices to minimize domain exposure where non-DA accounts have admin rights on machines also used by DAs.
Usage
[*] Parameters:
--tsquery=<host> : Query a host to identify RDP/TS session information (not required for other switches)
--session=<ID> : Target session identifier
--password=<User's Password> : Session password if known (otherwise optional - not required for disconnect switch)
--console : Redirect session to console session instead of current (active) session
--disconnect : Disconnect an active (remote) session
[*] Example Usage 1: Impersonate NT AUTHORITY\SYSTEM to hijack session #6 and redirect to the current session
SharpRDPHijack.exe --session=6
[*] Example Usage 2: Impersonate NT AUTHORITY\SYSTEM to hijack session #2 and redirect to the console session
SharpRDPHijack.exe --session=2 --console
[*] Example Usage 3: Hijack Remote Desktop session #4 with knowledge of the logged-on user's password
SharpRDPHijack.exe --session=4 --password=P@ssw0rd
[*] Example Usage 4: Disconnect active session #3
SharpRDPHijack.exe --session=3 --disconnect
[*] Example Usage 5: Query the local host for RDP/TS session information
SharpRDPHijack.exe --tsquery=localhost
To Do
- Clean up session validation
Other Notable Implementations
Ethics
Sharp RDP Hijack is designed to help security professionals perform ethical and legal security assessments and penetration tests. Do not use for nefarious purposes.
Resources with Defensive Considerations
- Red Team Experiments | T1076: RDP Hijacking for Lateral Movement with tscon
- Kevin Beaumont | RDP hijacking — how to hijack RDS and RemoteApp sessions transparently to move through an organisation