searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus
Help Net Security - Daily information security news with a focus on enterprise security.
Help Net Security - Daily information security news with a focus on enterprise security.
  • News
  • Features
  • Expert analysis
  • Videos
  • Reviews
  • Events
  • Whitepapers
  • Industry news
  • Product showcase
  • Newsletters
Zeljka Zorz
Zeljka Zorz, Editor-in-Chief, Help Net Security
March 20, 2017
Share

Hijacking Windows user sessions with built-in command line tools

Did you know that by using built-in command line tools, any user with system rights and permissions (usually a local administrator) can hijack the session of any logged-in Windows user without knowing that user’s password? He or she can perform the action if they have physical access to the target’s machine, but also remotely via Remote Desktop Protocol (RDP).

Hijacking Windows user sessions with built-in command line tools

The capability is not exactly secret, as it has been pointed out by a French security researcher some six years ago, but researcher Alexander Korznikov did not know that when he detailed it again a few days ago.

He stumbled on it when he tried to connect to another user’s session via the Users tab in Windows Task Manager, and succeeded in doing so without being asked for the password.

After perusing some Microsoft documentation, he figured out that the prerequisite for this is to have Full Control access permission or Connect special access permission, and that – contrary to what Microsoft says – you don’t have to specify a password in the parameter.

He believed this to be a security vulnerability, but Microsoft does not deem it so, because to be exploited it requires the attacker to have local admin rights on the machine.

Korznikov provided a few video demos of a successful session hijacking (via Task manager, service creation, or command line), as well as PoC exploit steps. Another researcher confirmed that the exploitation works on every Windows version, even if the workstation is locked.

While security professionals debate the severity of this flaw/feature, Korznikov delineated how it can be easily misused by a malicious insider: a sysadmin in a bank can log into an employee’s locked workstation while the employee is away for lunch, hijack the employee’s session, and use it to perform malicious actions in the billing system (to which he usually has no access).

More about
  • account hijacking
  • exploit
  • PoC
  • privileged accounts
  • Windows
Share this

Featured news

  • Surveilling your employees? You could be putting your company at risk of attack
  • 9 free cybersecurity whitepapers you should read
  • How fraudsters undermine text passcodes
Spin Up A CIS Hardened Image

Sponsored

The best defense against cyber threats for lean security teams

Webinar: Tips from MSSPs to MSSPs – starting a vCISO practice

Security in the cloud with more automation

CISOs struggle with stress and limited resources

Don't miss

Surveilling your employees? You could be putting your company at risk of attack

9 free cybersecurity whitepapers you should read

How fraudsters undermine text passcodes

Google triples reward for Chrome full chain exploits

MOVEit Transfer zero-day attacks: The latest info

Cybersecurity news
Help Net Security - Daily information security news with a focus on enterprise security.
© Copyright 1998-2023 by Help Net Security
Read our privacy policy | About us | Advertise
Follow us