Cyber security

SharpRDPHijack : A .NET Utility For RDP Session Hijacking

Sharp RDP Hijack is a proof-of-concept .NET/C# Remote Desktop Protocol (RDP) session hijack utility.

RDP session hijacking is a post-exploitation technique for taking control of (forcefully) disconnected interactive login sessions. The technique is described in Mitre ATT&CK T1563.002 – Remote Service Session Hijacking: RDP Hijacking.

Notes

  • SharpRDPHijack.cs compiles in Visual Studio 2022 under .NET Framework v.4.8 (and likely earlier versions).
  • TS/RDP Session query may require privileges depending on the target machine.
  • Session hijacking requires an elevated (administrator) context to connect to another session.
  • NT AUTHORITY\SYSTEM context is required to take control of a session unless a target session user’s password is known. Without a supplied password, SharpRDPHijack will (attempt to) impersonate NT AUTHORITY\SYSTEM.
  • Windows 2019+ Server session hijacking exhibits interesting behavior vs prior OS versions. Upon hijacking a session that is redirected to an activated RDP session, the Windows login screen prompts for the user’s password/credential.
    • If redirected to the console session, this redirection is successful and seamless. Leverage the –shadow option with the –console option to attempt to connect to the session via RDP shadowing.
  • Several folks have inquired about the function/necessity of this utility when you can do the same thing with tscon.exe or Mimikatz TS.
    • The goal of writing this POC was to gain a better understanding of what was happening at the Win32 API level (more specifically – Wtsapi32) and to have a simpler option for connecting to other sessions (preferably in C#).
  • Potentially, there is an advantage such that this utility could evade specific detection analytics for tscon.exe + supporting command usage.
    • Defensive guidance in the linked resources page are useful for addressing abuse of this technique (e.g. logging off disconnected sessions after a timeout period in Group Policy) as well as implementing domain admin login resiliency best practices to minimize domain exposure where non-DA accounts have admin rights on machines also used by DAs.

Usage

[*] Parameters:
[*] A proof-of-concept Remote Desktop (RDP) session hijack utility
    - For session hijacking, this utility must be run in an elevated context to connect to another session
    - If a password is not specified, NT AUTHORITY\SYSTEM is impersonated
    - For session query, admin privileges or "Remote Desktop Users" group membership is required on the target machine

[*] Parameters:
    --tsquery=<host> : Query a host to identify RDP/TS session information (not required for other switches)
    --session=<ID> : Target session identifier
    --password=<User's Password> : Session password if known (otherwise optional - not required for disconnect switch)
    --console : Redirect session to console session instead of current (active) session
    --shadow : Shadow an active session (experimental)
    --disconnect : Disconnect an active (remote) session

[*] Example Usage 1: Impersonate NT AUTHORITY\SYSTEM to hijack session #6 and redirect to the current session
    SharpRDPHijack.exe --session=6

[*] Example Usage 2: Impersonate NT AUTHORITY\SYSTEM to hijack session #2 and redirect to the console session
    SharpRDPHijack.exe --session=2 --console

[*] Example Usage 3: Hijack Remote Desktop session #4 with knowledge of the logged-on user's password
    SharpRDPHijack.exe --session=4 --password=P@ssw0rd

[*] Example Usage 4: Disconnect active session #3
    SharpRDPHijack.exe --session=3 --disconnect

[*] Example Usage 5: Query the local host for RDP/TS session information
    SharpRDPHijack.exe --tsquery=localhost

[*] Example Usage 6: Shadow active session #3
    SharpRDPHijack.exe --session=3 --shadow

[*] Example Usage 7: Shadow inactive session #2 by redirecting the session to the console
    SharpRDPHijack.exe --session=2 --shadow --console

For more information click here.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

Install Mono on Ubuntu 18.04: C# Compiler and Runtime Guide

Running programs built for Microsoft's framework on a Linux system is easier than you think. Mono is…

16 hours ago

Install OpenCV on Ubuntu 18.04: Step-by-Step Setup Guide

Computer vision technology powers many modern applications, from image editors to facial scanners. OpenCV (Open Source Computer…

16 hours ago

Install VNC on Ubuntu 18.04: Step-by-Step TigerVNC Setup

A remote desktop interface makes it easy to manage a remote computer. VNC (Virtual Network Computing) is…

16 hours ago

Install Gitea on Ubuntu 18.04: Self-Hosted Git Service Guide

Hosting your own code repositories is a great way to keep your projects private. Gitea is a…

16 hours ago

Install Java on Ubuntu 18.04: OpenJDK 11 and OpenJDK 8

Many modern programs require Java to run. From development tools like Eclipse to search systems…

17 hours ago

Configure a Static IP Address on Ubuntu 18.04: Netplan Guide

Setting a static IP address on your server is a smart move. It ensures your…

2 days ago