WTSSessionHijacker
RDP/WTS session hijacking tool using Windows Terminal Services API (wtsapi32.dll). Enumerates all RDP sessions (WTSEnumerateSessionsW), steals user tokens (WTSQueryUserToken), performs credential-based logon (LogonUserW), and escalates via authz.dll (AuthzAddSidsToContext). Clears event logs (ClearEventLogA) and can control services (ControlService). 300KB encrypted .rsrc payload decrypted at runtime. API calls obfuscated with custom XOR encoding.
Tehdit Profili
Tür
RAT
Yazılım DiliC/C++
C2 Protokolücustom
İlk Görülme2024
Hedef Kitle
Kuresel/Kurumsal
Amaç / Yetenekler
- RDP Hijack/Lateral Movement
Bu aile için henüz C2 sunucusu tespit edilmemiştir.
Araştırma Raporları (1)
WTSSessionHijacker 068af801 -- WTSEnumerateSessionsW WTSQueryUserToken LogonUserW AuthzAddSidsToContext ClearEventLogA ControlService RDP Token Theft 300KB Encrypted rsrc | Yuksek
WTSSessionHijacker 068af801 PE32 x86 396KB. WTSEnumerateSessionsW WTSQueryUserToken. LogonUserW + AuthzAddSidsToContext SID eskalasyon. ClearEventLogA. 300KB sifreli rsrc payload.
Raporu Oku →