How can tscon be abused to achieve unauthorized remote desktop login?

Normally, `tscon` requires a password to switch remote desktop sessions. However, if an attacker first escalates to **System privileges** using methods like creating a service or token duplication, they can run `tscon <sessionid>` without a password. This technique, detailed in Penetration Technique - Using tscon to Achieve Unauthorized Remote Desktop Login, effectively bypasses authentication and hijacks any existing session.