# RDP

* <https://gist.github.com/S3cur3Th1sSh1t/8294ec59d1ef38cba661697edcfacb9b>

## RdpThief

* <https://github.com/0x09AL/RdpThief>
* <https://github.com/S3cur3Th1sSh1t/RDPThiefInject>
* <https://github.com/snovvcrash/SharpRdpThief>
* <https://github.com/passthehashbrowns/SharpRDPThief>
* <https://github.com/proxytype/RDP-THIEF>
* <https://github.com/0xEr3bus/RdpStrike>

{% hint style="info" %}
The DLL can be converted to shellcode with [ConvertToShellcode.py](https://github.com/monoxgas/sRDI/blob/master/Python/ConvertToShellcode.py) (sRDI approach) and then be [injected](https://github.com/snovvcrash/PPN/blob/master/pentest/infrastructure/ad/av-edr-evasion/code-injection/process-injectors/README.md#classic-process-injection) into the target process. That would help to avoid dropping the DLL to disk:

```
beacon> rdpthief_enable
beacon> rdpthief_dump
beacon> rdpthief_disable
```

{% endhint %}

## Abusing CredSSP / TSPKG

* <https://clement.notin.org/blog/2019/07/03/credential-theft-without-admin-or-touching-lsass-with-kekeo-by-abusing-credssp-tspkg-rdp-sso/>