WTSSessionHijacker

RDP/WTS session hijacking tool using Windows Terminal Services API (wtsapi32.dll). Enumerates all RDP sessions (WTSEnumerateSessionsW), steals user tokens (WTSQueryUserToken), performs credential-based logon (LogonUserW), and escalates via authz.dll (AuthzAddSidsToContext). Clears event logs (ClearEventLogA) and can control services (ControlService). 300KB encrypted .rsrc payload decrypted at runt

Threat Profile
Type RAT
Programming LanguageC/C++
C2 Protocolcustom
First Seen2024
Targets Kuresel/Kurumsal
Purpose / Capabilities
  • RDP Hijack/Lateral Movement
No C2 servers have been identified for this family yet.

Research Reports (1)

High

WTSSessionHijacker 068af801 -- WTSEnumerateSessionsW WTSQueryUserToken LogonUserW AuthzAddSidsToContext ClearEventLogA ControlService RDP Token Theft 300KB Encrypted rsrc | Yuksek

WTSSessionHijacker 068af801 PE32 x86 396KB. WTSEnumerateSessionsW WTSQueryUserToken. LogonUserW + AuthzAddSidsToContext SID eskalasyon. ClearEventLogA. 300KB sifreli rsrc payload.

Read Report →