RDP hijacking attacks explained, and how to mitigate them

Attackers take advantage of a Windows Remote Desktop Protocol feature to take over previously disconnected sessions and appear as a legitimate user to gain system access and control,

A hacker with laptop diplays a skull and crossbones with Microsoft colors.
Peshkov / Getty Images

RDP hijacking definition

One means of compromising systems cherished by malware authors is Remote Desktop Protocol (RDP). It provides a convenient way for system administrators to manage Windows systems and help users with troubleshooting an issue. 

RDP hijacking attacks often exploit legitimate features of the RDP service rather than purely relying on a vulnerability or password phishing. In fact, the WannaCry ransomware is known to enumerate remote desktop sessions in an attempt to hijack RDP sessions and execute malware on each session.

RDP hijacking attacks involve the attacker “resuming” a previously disconnected RDP session. This allows the attacker to get into a privileged system without having to steal the user’s credentials. For example, if an administrator remoted into a Windows Server machine a few days ago, it is much easier for the attacker to “resume” this very session, rather than attempting to obtain the administrator account’s password via social engineering.

Once in the system, the attacker can gain lateral movement across the enterprise network while remaining undetected, because to an event monitor, they are effectively acting as the authorized user whose session they have hijacked.

To continue reading this article register now

Subscribe today! Get the best in cybersecurity, delivered to your inbox.