From e02f0f8f14a44fcf4f69017577396c683a8b1c91 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Fri, 20 Mar 2026 18:55:11 +0000 Subject: [PATCH] Add content from: From flat networks to locked up domains with tiering models --- .../rdp-sessions-abuse.md | 93 ++++++++++++++++++- 1 file changed, 92 insertions(+), 1 deletion(-) diff --git a/src/windows-hardening/active-directory-methodology/rdp-sessions-abuse.md b/src/windows-hardening/active-directory-methodology/rdp-sessions-abuse.md index a88eceb2d6d..dc12280f781 100644 --- a/src/windows-hardening/active-directory-methodology/rdp-sessions-abuse.md +++ b/src/windows-hardening/active-directory-methodology/rdp-sessions-abuse.md @@ -72,7 +72,98 @@ beacon> cd \\tsclient\c\Users\\AppData\Roaming\Microsoft\Windows\Start beacon> upload C:\Payloads\pivot.exe ``` -{{#include ../../banners/hacktricks-training.md}} +## Shadow RDP + +If you are **local admin** on a host where the victim already has an **active RDP session**, you may be able to **view/control that desktop without stealing the password or dumping LSASS**. + +This depends on the **Remote Desktop Services shadowing** policy stored in: + +```text +HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Shadow +``` + +Interesting values: + +- `0`: Disabled +- `1`: `EnableInputNotify` (control, user approval required) +- `2`: `EnableInputNoNotify` (control, **no user approval**) +- `3`: `EnableNoInputNotify` (view-only, user approval required) +- `4`: `EnableNoInputNoNotify` (view-only, **no user approval**) + +```cmd +:: Check the policy +reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v Shadow + +:: Enable interaction without consent +reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v Shadow /t REG_DWORD /d 2 /f + +:: Enumerate sessions and shadow the target one +quser /server: +mstsc /v: /shadow: /control /noconsentprompt /prompt +``` + +This is especially useful when a privileged user connected over RDP left an unlocked desktop, KeePass session, MMC console, browser session, or admin shell open. + +## Scheduled Tasks As Logged-On User + +If you are **local admin** and the target user is **currently logged on**, Task Scheduler can start code **as that user without their password**. + +This turns the victim's existing logon session into an execution primitive: + +```cmd +schtasks /create /S /RU "" /SC ONCE /ST 00:00 /TN "Updater" /TR "cmd.exe /c whoami > C:\\Windows\\Temp\\whoami.txt" +schtasks /run /S /TN "Updater" +``` + +Notes: +- If the user is **not logged on**, Windows usually requires the password to create a task that runs as them. +- If the user **is logged on**, the task can reuse the existing logon context. +- This is a practical way to execute GUI actions or launch binaries inside the victim session without touching LSASS. + +## CredUI Prompt Abuse From the Victim Session + +Once you can execute **inside the victim's interactive desktop** (for example via **Shadow RDP** or **a scheduled task running as that user**), you can display a **real Windows credential prompt** using CredUI APIs and harvest credentials entered by the victim. + +Relevant APIs: + +- `CredUIPromptForWindowsCredentials` +- `CredUnPackAuthenticationBuffer` + +Typical flow: + +1. Spawn a binary in the victim session. +2. Display a domain-authentication prompt that matches the current domain branding. +3. Unpack the returned auth buffer. +4. Validate the provided credentials and optionally keep prompting until valid credentials are entered. + +This is useful for **on-host phishing** because the prompt is rendered by standard Windows APIs instead of a fake HTML form. + +## Requesting a PFX In the Victim Context + +The same **scheduled-task-as-user** primitive can be used to request a **certificate/PFX as the logged-on victim**. That certificate can later be used for **AD authentication** as that user, avoiding password theft entirely. + +High-level flow: + +1. Gain **local admin** on a host where the victim is logged on. +2. Run enrollment/export logic as the victim using a **scheduled task**. +3. Export the resulting **PFX**. +4. Use the PFX for PKINIT / certificate-based AD authentication. + +See the AD CS pages for follow-up abuse: + +{{#ref}} +ad-certificates/account-persistence.md +{{#endref}} + +## References + +- [SensePost - From flat networks to locked up domains with tiering models](https://sensepost.com/blog/2026/from-flat-networks-to-locked-up-domains-with-tiering-models/) +- [Microsoft - Remote Desktop shadow](https://learn.microsoft.com/windows/win32/termserv/remote-desktop-shadow) +- [NetExec - Shadow RDP plugin PR #465](https://github.com/Pennyw0rth/NetExec/pull/465) +- [NetExec - schtask_as module](https://github.com/Pennyw0rth/NetExec/blob/main/nxc/modules/schtask_as.py) +- [NetExec - Request PFX via scheduled task PR #908](https://github.com/Pennyw0rth/NetExec/pull/908) + +{{#include ../../banners/hacktricks-training.md}}