![]() ![]() The syntax for the command is simple, with the Microsoft Knowledge Base explaining in detail what each parameter entails: It enables a user to connect to a different remote desktop session on a system or switch between different sessions. Let’s focus on the RDP hijacking technique leveraging the Tscon.exe utility, which comes with Windows. ![]() In 2017, Alexander Korznikov demonstrated how the same technique can be used for privilege escalation on later versions of Windows machines. The technique was originally discovered in 2011 by Benjamin Delpy, the author of the pen-testing utility mimikatz. There are multiple ways to resume an RDP session. Moreover, increasing work-from-home arrangements have meant a greater reliance on remote administration and management tools like RDP, which now form a part of the attack surface for malicious actors. ![]() Given how a vast majority of enterprise networks connect Windows and Windows Server systems, with sysadmins using RDP, it is vital to be aware of the risks and behavior of the RDP service. Rather than being a vulnerability, it is a decades-old “technique” that exploits a legitimate feature of the Windows RDP service. Once in the system, the attacker can gain lateral movement across the enterprise network while remaining undetected, because to an event monitor, they are effectively acting as the authorized user whose session they have hijacked. For example, if an administrator remoted into a Windows Server machine a few days ago, it is much easier for the attacker to “resume” this very session, rather than attempting to obtain the administrator account’s password via social engineering. ![]() This allows the attacker to get into a privileged system without having to steal the user’s credentials. RDP hijacking attacks involve the attacker “resuming” a previously disconnected RDP session. In fact, the WannaCry ransomware is known to enumerate remote desktop sessions in an attempt to hijack RDP sessions and execute malware on each session. RDP hijacking attacks often exploit legitimate features of the RDP service rather than purely relying on a vulnerability or password phishing. It provides a convenient way for system administrators to manage Windows systems and help users with troubleshooting an issue. One means of compromising systems cherished by malware authors is Remote Desktop Protocol (RDP). ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |