WTSSessionHijacker
RDP/WTS session hijacking tool using Windows Terminal Services API (wtsapi32.dll). Enumerates all RDP sessions (WTSEnumerateSessionsW), steals user tokens (WTSQueryUserToken), performs credential-based logon (LogonUserW), and escalates via authz.dll (AuthzAddSidsToContext). Clears event logs (ClearEventLogA) and can control services (ControlService). 300KB encrypted .rsrc payload decrypted at runt
Threat Profile
Type
RAT
Programming LanguageC/C++
C2 Protocolcustom
First Seen2024
Targets
Kuresel/Kurumsal
Purpose / Capabilities
- RDP Hijack/Lateral Movement
No C2 servers have been identified for this family yet.
Research Reports (1)
WTSSessionHijacker 068af801 -- WTSEnumerateSessionsW WTSQueryUserToken LogonUserW AuthzAddSidsToContext ClearEventLogA ControlService RDP Token Theft 300KB Encrypted rsrc | Yuksek
WTSSessionHijacker 068af801 PE32 x86 396KB. WTSEnumerateSessionsW WTSQueryUserToken. LogonUserW + AuthzAddSidsToContext SID eskalasyon. ClearEventLogA. 300KB sifreli rsrc payload.
Read Report →