RDP Session Hijacking using tscon

I read Kevin Beaumont’s RDP Session Hijacking article in Medium and was amazed on how it worked so I decided to replicate it.

For more information about the RDP Hijacking please check Kevin Beaumont article (https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6).


The Setup:
2 virtual machines both running in Windows 7

Attacker Machine

Target Machine


In this situation, I already have an administrator account named “blade” on the target machine. The goal is to hijack the session of “superAdmin” which is currently logged on to the target machine.


First, I RDP to the target machine using the administrator account “blade”.


Using the command “query user” I was able to check the users who are logged on.


On the target machine, I created a service that will hijack the session of “superadmin”.

sc create rdphijack binpath= "cmd.exe /k tscon 1 /dest:rdp-tcp#0"

The number on the tscon is the ID of superadmin.
For the "/dest" it is the SessionName of the user used for RDP. In this scenario the SessionName is "rdp-tcp#0".


Lastly, I started the service I created using the command “net start rdphijack” and successfully got an RDP Session using “superadmin” account.

net start rdphijack





Kevin Beaumont – @gossithedog
Alexander Korznikov – @nopernik

Leave a Reply

Your email address will not be published. Required fields are marked *

Check this * Time limit is exhausted. Please reload the CAPTCHA.