Lateral Movement over headless RDP with SharpRDP
Last updated
Last updated
Executing commands on a remote host is possible by using a headless (non-GUI) RDP lateral movement technique brought by a tool called SharpRDP.
Executing a binary on a remote machine dc01 from a compromised system with offense\administrator credentials:
Defenders may want to look for mstscax.dll module being loaded by suspicious binaries on a compromised host from which SharpRDP is being executed:
Also, weird binaries making connections to port 3389:
