A researcher has exposed how attackers with local admin privileges could use native command-line Windows tools to hijack other users’ sessions without credentials.
Researcher Alexander Korznikov on Friday published a report in which he describes how he could, locally and remotely via Remote Desktop Protocol (RDP), access other users’ sessions—even sessions that have been disconnected for some time—with one command.
Korznikov said an attacker could access domain admin sessions, read documents, and access systems, cloud domains or applications (email, Notepad, others) that the user has previously logged in to. He said he tested his attack on Windows 2012 and Windows 2008 servers, as well as Windows 10 and Windows 7 and all that is required is the NT AUTHORITY/SYSTEM command line, or to create a service that will connect a session back to the attacker’s.
“Someone can say, ‘If you are admin, you can dump a server’s memory and parse it.’ That’s correct, but you don’t need it any more,” Korznikov told Threatpost. “Just two simple commands and you are in. The most incredible thing is that I don’t need to know the credentials of the hijacked user. It is pure password-less hijacking.”