Skip to main content

Overview

The RDPSessions command enumerates active Remote Desktop Protocol (RDP) sessions on the system. This identifies who is currently connected via RDP, their session state, and connection details - valuable for understanding concurrent access and potential lateral movement paths.

Syntax

# Local system
Seatbelt.exe RDPSessions

# Specify computer name
Seatbelt.exe "RDPSessions <computername>"

Remote Execution

Seatbelt.exe RDPSessions -computername=TARGET.domain.com [-username=DOMAIN\user -password=pass]

Output

Returns RDP session information:
  • Session ID
  • Username
  • Session state (Active, Disconnected)
  • Session type (Console, RDP-Tcp)
  • Client name/IP address
  • Logon time

Use Cases

  • Red Team
  • Blue Team
  • Identify active admin sessions for token theft
  • Discover other connected users
  • Plan session hijacking attacks
  • Identify concurrent access for stealth
  • Find disconnected sessions to hijack

Example Output

====== RDPSessions ======

SessionID   : 2
UserName    : CORP\administrator
State       : Active
SessionType : RDP-Tcp#3
ClientName  : ADMINPC01
ClientIP    : 10.0.1.50
LogonTime   : 10/15/2024 8:30:15 AM

SessionID   : 3
UserName    : CORP\helpdesk
State       : Disconnected
SessionType : RDP-Tcp#5
ClientName  : HELPDESK02
ClientIP    : 10.0.1.75
LogonTime   : 10/15/2024 7:15:42 AM

Remote Execution

This command supports remote execution using the -computername parameter.

Detection Considerations

Session enumeration may generate alerts in monitored environments.
  • API Calls: Uses WTSEnumerateSessions and WTSQuerySessionInformation
  • Privilege Requirements: May require elevated privileges
  • WMI Activity: Remote execution generates WMI events