📓
Red Team Notes
  • Introduction
  • Red Team Notes 2.0
  • Red Team
  • Initial Access
    • Spear Phishing Links
      • HTA Files
      • Binaries
      • PDF Files
      • SET(Social-Engineering Toolkit)
    • Spear Phishing Attachments
      • Macros
      • Dynamic Data Exchange
      • SCR Files
      • LNK Files
    • (+) Links and Attachments
  • Execution
    • Component Object Model and Distributed COM
    • MSHTA
    • PowerShell
    • Rundll32
    • Scheduled Tasks
    • Scripting
    • Trusted Developer Utilities
      • MSBuild
      • Regsvr32
    • Windows Remote Management
    • Windows Management Instrumentation (WMI)
  • Persistence
    • Scheduled Tasks
    • Create Account
    • DLL Search Order Hijacking
    • Hooking
    • Logon Scripts
    • Modify Existing Service
    • New Service
    • Path Interception
    • Registry Keys / StartUp Folder
    • ShortCut Modification
  • Privesc
    • Access Token Manipulation
    • DLL Search Order Hijacking
    • Exploitation for Privesc
    • File System Permissions Weakness
    • Always Install Elevated
  • Defense Evasion
  • Credential Access
    • Credential Dumping
    • Kerberoasting
    • LLMNR/NBT-NS Poisoning and Relay
  • Discovery
  • Lateral Movement
    • Pass the Ticket
    • Pass the Hash
    • Remote Desktops
    • Internal Spearphishing
    • Windows Admin Shares
    • Component Object Model and Distributed COM
    • Windows Remote Management
  • Collection
  • Command and Control
  • Exfiltration
  • Impact
  • Active Directory
    • Introduction
      • Kerberos
      • LDAP
    • Enumeration
    • Attacks
      • Unconstrained Delegation
      • Constrained Delegation
      • DCSync
      • Kerberoasting
      • Silver Tickets
      • Golden Tickets
  • Detection
    • Detection
    • Initial Access
    • Execution
      • MSHTA (Detection)
  • Resources & References
    • References & Resources
Powered by GitBook
On this page

Was this helpful?

  1. Lateral Movement

Remote Desktops

ID: T1076 Tactic: Lateral Movement

PreviousPass the HashNextInternal Spearphishing

Last updated 5 years ago

Was this helpful?

Remote Desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS). There are other implementations and third-party tools that provide graphical access Remote Services similar to RDS.

Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries may also perform RDP session hijacking which involves stealing a legitimate user's remote session.

As the title implies, Lateral Movement using RDP Connections, how can we move from 1 PC to another and also having a wonderful GUI, well nothing beat's and RDP Session besides having a Graphical Interface when you are moving to different machines and also a great thing about this is that the users are always Admin! (Majority of the time).

Let's look at our target, and Check the RDP Port.

RDP Session fantastic we can use xfreerdp on our Kali box to RDP into the Target machine. Great we have an RDP Session now.

After more enumeration and finding more PC's on the Network there is also another Machine with RDP Enable and guess what you have the proper credentials to Log In!. And if you check in the Title Bar we can see and RDP session inside another RDP Session.

From here we can see that moving from one machine to another is fairly simple with the proper permissions and correct set of User info with Credentials, this is a fairly easy to understand Lateral Movement Technique but just be aware that not always you will get a nice GUI for your Simulations. This is just to be aware that the technique exists.

This is one of the methods that does not require the User to be an Administrator just special Group Permissions (Remote Desktop Users) or just RDP Access.