In this instalment of Cyborg Security's latest series "Living off the Land," we will cover the topic of RDP hijacking. Specifically, we will look at the use of Tscon.exe in RDP hijacking. We'll also dive into how adversaries do this, and why it is important. We will also examine how to detect this activity.
No one would argue that Remote Desktop Services isn't a time saving feature in a Windows environment. With a few keystrokes, a user can log into a system remotely and access the system as if they were sitting in front of it. But, RDS also has another time saving feature that allows a user to connect to
another
user's session. It is this capability that allows adversaries to impersonate users and perform RDP hijacking. It bears mentioning that when an adversary conducts RDP hijacking, they do not only gain access to the account. Instead, when a session is taken control of, the controlling user also gains the privileges associated with the session. This makes RDP hijacking particular useful for lateral movement and privilege escalation. This technique can also enable an attacker to establish persistence.
This RDP hijacking technique takes advantage of the Windows native binary Tscon.exe. Tscon.exe allows the session owner, and other users, to take control of otherwise inactive sessions. But, if a user attempts to do this, they must enter a password. This password is the user's local or network credentials associated with the session. Now, this type of check would typically prevent unauthorized access to a session. But, there exist certain conditions where this requirements can be bypassed. The power of this technique is tremendous if used on an already compromised system. If an adversary manages to gain SYSTEM level authority on a compromised system, they are now able to hijack any inactive session on the system. Also, if the adverdary has scraped or accessed credentials, they are now able to move laterally throughout the environment. In order for an actor to successfully perform RDP hijacking, through exploitation of Tscon, first a service needs to be created. It should be noted that the command being executed by itself will not accomplish the objective.
video-embed
Process Create:
EventCode=4688 (WinEventLog) OR EventCode=1 (Sysmon) "*tscon*" AND "*dest*" AND ("*rdp-tcp*" OR "console*")
Service created:
EventCode=7045 (WinEventLog) "*tscon*" AND "*dest*" AND ("*rdp-tcp*" OR "console*")
Registry key modification:
EventCode=13 (Sysmon) *tscon*" AND "*dest*" AND ("*rdp-tcp*" OR "console*")
Haven't seen part one of this series? Catch up and watch the video here.
[hubspot type=cta portal=7924572 id=ae832f8f-83db-4b26-8f4d-f37f258623e2]
Guided Threat Hunts offers a library of Pivot Queries for hundreds of hunt packages that enable your threat hunters and analysts to overcome uncertainty and boost productivity. Guided Threat Hunts is a set of packages that assists users modify their result set to decide their next step and filter out noise from extraneous results.
The Lumma infostealer malware collects highly sensitive data including logins and session tokens. Here's how to conduct a threat hunt leveraging up-to-date tactics, techniques and procedures used by Lumma.
After compromising a system, attackers seek ways to maintain persistence. Here's how to threat hunt for a common persistence method used by attackers including DragonForce.
Stay informed with our weekly executive update, sending you the latest news and timely data on the threats, risks, and regulations affecting your organization.