The Remote Desktop Protocol (RDP) supports administrators in managing Windows systems and supporting users with problems. However, RDP is also very popular with criminal hackers: The attack technique RDP hijacking enables them, as supposedly legitimate users, to gain access to and control over IT systems.
Since remote administration and management, such as that made possible by RDP for Windows devices, has become significantly more important for companies in all industries in the wake of the corona crisis, the risk of falling victim to RDP hijacking attacks increases. Quite apart from the current developments: simply due to the fact that in the majority of company networks Windows and Windows server systems are interconnected and admins use RDP, it is essential to be aware of the associated risks.
Read how RDP is compromised and how you can protect yourself against it.
RDP hijacking is not a particularly new phenomenon. Rather, it is a technology that has been around for a number of years and is often not based on common exploitation of vulnerabilities – for example via phishing – but uses completely legitimate features of the RDP service under Windows.
With RDP hijacking, an attacker continues a previously terminated RDP connection. This gives him access to privileged systems without having to steal the relevant login data. For example, if an administrator configured a Windows server via RDP a few days ago, it is much easier for an attacker to “resume” this session instead of trying to get the admin’s password via social engineering.
Once in the system, the attacker can move laterally through the company network and remains undetected – after all, monitoring software is dealing with a supposedly authorized user.
There are different ways to continue an RDP session. The procedure was originally discovered in 2011 by Benjamin Delphy, developer of the pentesting tool mimikatz. In 2017, security specialist Alexander Korznikov demonstrated how the same procedure can be used for privilege escalation attacks on Windows systems.
In this article, we concentrate on the RDP hijacking method, which makes use of the Windows on-board tool Tscon.exe. The utility enables users to switch to a new remote desktop session or to switch back and forth between different sessions.
The syntax of the command is simple – the Microsoft Knowledge Base provides information on what the individual parameters entail:
The simplest example would be
tscon 2: This command would – executed on a host server – connect the user with session ID 2 and disconnect all existing connections. However, Microsoft itself warns: “You must exercise caution when using Tscon.exe so as not to inadvertently leave a previously inaccessible server open.”
In order to take over a foreign remote desktop session, the attacker must be connected to the RDP host. To accomplish this, “preparatory work” is necessary: If the hacker is not an internal perpetrator, he needs the appropriate access data. This type of hacker attack is particularly dangerous because it is also regularly part of APT attacks.
If a system is compromised, e.g. by malware, this technology enables attackers to take over the sessions and environments of other users without the need for a password. With reference to the diagram, the malicious user would log into client 3 on the RDP server and would be able to see all connected RDP users. All he needs is the following command:
The following entries in the command line are then sufficient to end the current session of the attacker (ID 2) and to resume session 1 between the attacker and the RDP server, which was previously interrupted:
sc create hijackedsession binpath= "cmd.exe /k tscon 1 /dest:rdp-tcp#2"
net start hijackedsession
A password is not asked for, nor are any traces left that could be evaluated by IT forensics. The reason: The user who was previously active on client 2 ended his RDP session, but did not explicitly log off from the server.
For the reasons mentioned, a monitoring solution is not a means against RDP hijacking. An operating system upgrade does not help either, because the attack technique affects almost all versions of Windows Server. Still, there are two main defense measures you can take against RDP hijacking:
Enforce group policies: Instead of leaving “disconnected” remote desktop sessions in hibernation for longer, the settings in the group policy should be changed so that users are logged off either immediately or shortly after they are disconnected from an RDP session. This prevents passwordless hijacking.
Reduce the attack surface: There is no point in keeping RDP services and ports open for everyone on the Internet. However, restrictions in the case of RDP can quickly lead to remote administration reaching its limits. If access via the Internet is required, the use of Microsoft Remote Desktop Gateway or Azure Multi-Factor Authentication Server is recommended as an inexpensive solution for multi-factor authentication. (fm)
This article is based on an article from our US sister publication CSO Online.