searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus
Help Net Security - Daily information security news with a focus on enterprise security.
Help Net Security - Daily information security news with a focus on enterprise security.
  • News
  • Features
  • Expert analysis
  • Videos
  • Reviews
  • Events
  • Whitepapers
  • Industry news
  • Product showcase
  • Newsletters
Zeljka Zorz
Zeljka Zorz, Editor-in-Chief, Help Net Security
March 20, 2017
Share

Hijacking Windows user sessions with built-in command line tools

Did you know that by using built-in command line tools, any user with system rights and permissions (usually a local administrator) can hijack the session of any logged-in Windows user without knowing that user’s password? He or she can perform the action if they have physical access to the target’s machine, but also remotely via Remote Desktop Protocol (RDP).

Hijacking Windows user sessions with built-in command line tools

The capability is not exactly secret, as it has been pointed out by a French security researcher some six years ago, but researcher Alexander Korznikov did not know that when he detailed it again a few days ago.

He stumbled on it when he tried to connect to another user’s session via the Users tab in Windows Task Manager, and succeeded in doing so without being asked for the password.

After perusing some Microsoft documentation, he figured out that the prerequisite for this is to have Full Control access permission or Connect special access permission, and that – contrary to what Microsoft says – you don’t have to specify a password in the parameter.

He believed this to be a security vulnerability, but Microsoft does not deem it so, because to be exploited it requires the attacker to have local admin rights on the machine.

Korznikov provided a few video demos of a successful session hijacking (via Task manager, service creation, or command line), as well as PoC exploit steps. Another researcher confirmed that the exploitation works on every Windows version, even if the workstation is locked.

While security professionals debate the severity of this flaw/feature, Korznikov delineated how it can be easily misused by a malicious insider: a sysadmin in a bank can log into an employee’s locked workstation while the employee is away for lunch, hijack the employee’s session, and use it to perform malicious actions in the billing system (to which he usually has no access).

More about
  • account hijacking
  • exploit
  • PoC
  • privileged accounts
  • Windows
Share this

Featured news

  • Thousands of unpatched VMware ESXi servers hit by ransomware via old bug (CVE-2021-21974)
  • While governments pass privacy laws, companies struggle to change
  • What a perfect day in data privacy looks like
Guide: How virtual CISOs can efficiently extend their services into compliance readiness

Sponsored

eBook: 4 ways to secure passwords, avoid corporate account takeover

2022 Cloud Data Security Report

Don't miss

Thousands of unpatched VMware ESXi servers hit by ransomware via old bug (CVE-2021-21974)

While governments pass privacy laws, companies struggle to change

Trends that impact on organizations’ 2023 security priorities

What a perfect day in data privacy looks like

Patch your Jira Service Management Server and Data Center and check for compromise! (CVE-2023-22501)

Cybersecurity news
Help Net Security - Daily information security news with a focus on enterprise security.
© Copyright 1998-2023 by Help Net Security
Read our privacy policy | About us | Advertise
Follow us