RDP

• https://syfuhs.net/how-authentication-works-when-you-use-remote-desktop

• https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3

• https://blog.devolutions.net/2025/03/using-rdp-without-leaving-traces-the-mstsc-public-mode/

Look for terminal servers in a domain:

PS > Get-ADComputer -LDAPFilter "(&(objectClass=computer)(memberOf=CN=Terminal Server License Servers,CN=Builtin,$((Get-ADRootDSE).rootDomainNamingContext)))" | select dNSHostName

Terminal Services API

qwinsta

• https://blog.harmj0y.net/powershell/powerquinsta/

• https://0xv1n.github.io/posts/sessionenumeration/

• https://github.com/0xv1n/RemoteSessionEnum

Enable RDP

With meterpreter:

meterpreter > run getgui -e

With reg.exe:

Cmd > reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

With PowerShell:

Manually add firewall rule (if necessary):

Restricted Admin

• https://www.kali.org/penetration-testing/passing-hash-remote-desktop/

• https://blog.ahasayen.com/restricted-admin-mode-for-rdp/

• https://labs.f-secure.com/blog/undisable/

• https://shellz.club/pass-the-hash-with-rdp-in-2019/

• https://github.com/GhostPack/RestrictedAdmin

• https://www.pentestpartners.com/security-blog/abusing-rdps-remote-credential-guard-with-rubeus-ptt/

RDP with PtH: RDP needs a plaintext password unless Restricted Admin mode is enabled.

Check / enable / disable with PowerShell:

Check / enable / disable with Impacket:

Enable with CME:

Usage:

Remote Credential Guard

• https://learn.microsoft.com/en-us/windows/security/identity-protection/remote-credential-guard

• https://www.pentestpartners.com/security-blog/abusing-rdps-remote-credential-guard-with-rubeus-ptt/

Smart Card Authentication

Disable enforced smart card authentication during interactive logon:

Emulating PIV

• https://www.pentestpartners.com/security-blog/living-off-the-land-ad-cs-style/

• https://github.com/CCob/PIVert

• https://twitter.com/an0n_r0/status/1560699385545195521

• https://twitter.com/snovvcrash/status/1561020682242326528

NLA

Disable NLA:

Hijack RDP Sessions

• http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html

• https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement

• https://qtechbabble.wordpress.com/2017/04/07/use-quser-to-view-which-accounts-are-logged-inremoted-in-to-a-computer/

Run Task manager as LocalSystem to hijack other users' sessions:

The same can be achieved with tscon.exe:

Tools

• https://github.com/fortra/impacket/blob/master/examples/tstool.py

• https://github.com/netero1010/RDPHijack-BOF

Tools

SharpRDP

• https://github.com/0xthirteen/SharpRDP

• https://github.com/S3cur3Th1sSh1t/SharpRDP

SharpRDPHijack

• https://github.com/bohops/SharpRDPHijack

TakeMyRDP

• https://github.com/TheD1rkMtr/TakeMyRDP

• https://github.com/nocerainfosec/TakeMyRDP2.0